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SUMMARY: The Department of Health and 
Human Services (HHS) is issuing this 
final rule to update and modernize the 
Confidentiality of Alcohol and Drug 
Abuse Patient Records regulations and 
facilitate information exchange within 
new health care models while 
addressing the legitimate privacy 
concerns of patients seeking treatment 
for a substance use disorder. These 
modifications also help clarify the 
regulations and reduce unnecessary 
burden. 
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I. Executive Summary 
A. Purpose of the Regulatory Action 


The laws and regulations governing 
the confidentiality of substance use 
disorder records were written out of 
great concern about the potential use of 
substance use disorder information 
against individuals, causing individuals 
with substance use disorders not to seek 
needed treatment. The disclosure of 
records of individuals with substance 
use disorders has the potential to lead 
to a host of negative consequences, 
including: Loss of employment, loss of 
housing, loss of child custody, 
discrimination by medical professionals 
and insurers, arrest, prosecution, and 
incarceration. The purpose of the 
regulations at title 42 of the Code of 
Federal Regulations (CFR) part 2 (42 
CFR part 2) is to ensure that a patient 
receiving treatment for a substance use 
disorder in a part 2 program is not made 
more vulnerable by reason of the 
availability of their patient record than 
an individual with a substance use 
disorder who does not seek treatment. 
Now, more than 29 years since the part 
2 regulations were last substantively 
amended, this final rule makes policy 
changes to the regulations to better align 
them with advances in the U.S. health 
care delivery system while retaining 
important privacy protections. 


Need for Regulatory Action 


The last substantive update to these 
regulations was in 1987. Over the last 29 
years, significant changes have occurred 


within the U.S. health care system that 
were not envisioned by the current 
(1987) regulations, including new 
models of integrated care that are built 
on a foundation of information sharing 
to support coordination of patient care, 
the development of an electronic 
infrastructure for managing and 
exchanging patient information, and a 
new focus on performance measurement 
within the health care system. SAMHSA 
wants to ensure that patients with 
substance use disorders have the ability 
to participate in, and benefit from health 
system delivery improvements, 
including from new integrated health 
care models while providing 
appropriate privacy safeguards. These 
new integrated models are foundational 
to HHS’s delivery system reform goals of 
better care, smarter spending, and 
healthier people. 


Legal Authority for Regulatory Action 


This final rule revises 42 CFR part 2, 
Confidentiality of Alcohol and Drug 
Abuse Patient Records regulations. The 
authorizing statute, Title 42, United 
States Code (U.S.C.) 290dd—2, protects 
the confidentiality of the records 
containing the identity, diagnosis, 
prognosis, or treatment of any patient 
that are maintained in connection with 
the performance of any federally 
assisted program or activity relating to 
substance abuse (now referred to as 
substance use disorder) education, 
prevention, training, treatment, 
rehabilitation, or research. Title 42 of 
the CFR part 2 was first promulgated in 
1975 (40 FR 27802) and last 
substantively updated in 1987 (52 FR 
21796). 


B. Summary of the Major Provisions 


Proposed modifications to 42 CFR 
part 2 were published as a Notice of 
Proposed Rulemaking (NPRM) on 
February 9, 2016 (81 FR 6988). After 
consideration of the public comments 
received in response to the NPRM, 
SAMHSA is issuing this final rule 
amending 14 major provisions of 42 
CFR part 2, as follows: 

Statutory authority for confidentiality 
of substance use disorder patient 
records (§ 2.1) combines old § 2.1 
(Statutory authority for confidentiality 
of drug abuse patient records), and § 2.2 
(Statutory authority for confidentiality 
of alcohol abuse patient records) and 
deleting references to 42 U.S.C. 290ee— 
3 and 42 U.S.C. 290dd-—3, as these 
U.S.C. sections were omitted by Public 
Law 102-321 and combined and 
renamed into Section 290dd-2, 
Confidentiality of records. Because 
SAMHSA combined former §§ 2.1 and 


2.2 into § 2.1, we redesignated §§ 2.2 
through 2.5 accordingly. 

Reports of violations (§ 2.4) revises 
the requirement for reporting violations 
of these regulations by methadone 
programs (now referred to as opioid 
treatment programs) to the Food and 
Drug Administration (FDA) because the 
authority over these programs was 
transferred from the FDA to the 
Substance Abuse and Mental Health 
Services Administration (SAMHSA) in 
2001. 

Definitions (§ 2.11) revises some 
existing definitions, adds new 
definitions of key terms that apply to 42 
CFR part 2, and consolidates all but one 
of the definitions that are currently in 
other sections into § 2.11 (e.g., the 
definition of ‘““Minor’’ previously found 
in § 2.14(a)). We revised the definitions 
of “Central registry,” ““Disclose or 
disclosure,” ‘‘Maintenance treatment,” 
“Member program,” ‘‘Patient,” ‘‘Patient 
identifying information,” “Person,” 
“Program,” “Qualified service 
organization (QSO),” ‘‘Records,” and 
“Treatment.” We also added definitions 
of ‘‘Part 2 program,” “Part 2 program 
director,” “‘Substance use disorder,”’ 
“Treating provider relationship,” and 
“Withdrawal management,” some of 
which replaced existing definitions. In 
addition, SAMHSA revised the 
regulatory text to use terminology ina 
consistent manner. The following 
definitions were not revised 
substantively: “Diagnosis,” 
“Informant,” “Minor,” “Third-party 
payer,” and ‘“‘Undercover agent.” 

Applicability (§ 2.12) continues to 
apply the 42 CFR part 2 regulations to 
a program that is federally assisted and 
holds itself out as providing, and 
provides, substance use disorder 
diagnosis, treatment, or referral for 
treatment. Most changes to the 
applicability of the part 2 regulations 
result from SAMHSA’s decision not to 
finalize one of its proposed changes to 
the definition of ‘“Program”’ (see § 2.11, 
Definitions). Whereas the NPRM 
definition of “Program” included, under 
certain conditions, “general medical 
practices” in addition to “general 
medical facilities,’ the definition in this 
final rule is limited to ‘‘general medical 
facilities.’”” However, consistent with the 
NPRM, the definition of ““Program” 
continues to use the term “general 
medical facility” rather than both 
“general medical facility” and ‘‘general 
medical care facility” that were used 
interchangeably in the 1987 final rule 
definition of ‘“‘Program.’’ For example, 
an identified unit within a general 
medical facility is subject to part 2 if it 
holds itself out as providing, and 
provides, substance use disorder 
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diagnosis, treatment, or referral for 
treatment. In addition, if the primary 
function of medical personnel or other 
staff in a general medical facility is the 
provision of such services and they are 
identified as providing such services, 
they are considered a “Program” and, 
thus, subject to part 2. This final rule 
revises § 2.12(d)(2)(i)(C) so that 
restrictions on disclosures also apply to 
individuals or entities who receive 
patient records from other lawful 
holders of patient identifying 
information, such that patient records 
subject to the part 2 regulations include 
substance use disorder records 
maintained by part 2 programs, as well 
as those records in the possession of 
“other lawful holders of patient 
identifying information.” 

Confidentiality restrictions and 
safeguards (§ 2.13) adds a requirement 
that, upon request, patients who have 
included a general designation in the 
“To Whom” section of their consent 
form (see § 2.31) must be provided a list 
of entities (referred to as a List of 
Disclosures) to which their information 
has been disclosed pursuant to the 
general designation. 

Security for records (§ 2.16) clarifies 
that this section requires both part 2 
programs and other lawful holders of 
patient identifying information to have 
in place formal policies and procedures 
addressing security, including 
sanitization of associated media, for 
both paper and electronic records. 

Disposition of records by 
discontinued programs (§ 2.19) 
addresses both paper and electronic 
records. SAMHSA also added 
requirements for sanitizing associated 
media. 

In Section I., Notice to Patients of 
Federal Confidentiality Requirements 
(§ 2.22), SAMHSA clarifies that the 
written summary of federal law and 
regulations may be provided to patients 
in either paper or electronic format. 
SAMHSA also revised § 2.22 to require 
the statement regarding the reporting of 
violations include contact information 
for the appropriate authorities. 

Consent requirements (§ 2.31) 
permits, in certain circumstances, a 
patient to include a general designation 
in the “To Whom” section of the 
consent form, in conjunction with 
requirements that the consent form 
include an explicit description of the 
amount and kind of substance use 
disorder treatment information that may 
be disclosed. SAMHSA decided not to 
finalize its proposed changes to the 
“From Whom” section, but did make 
minor updates to the terminology in the 
text. SAMHSA also revised § 2.31 to 
require the part 2 program or other 


lawful holder of patient identifying 
information to include a statement on 
the consent form when using a general 
designation in the ‘““To Whom” section 
of the consent form that patients have a 
right to obtain, upon request, a list of 
entities to which their information has 
been disclosed pursuant to the general 
designation (see § 2.13). In addition, 
SAMHSA revised § 2.31 to permit 
electronic signatures to the extent that 
they are not prohibited by any 
applicable law. 

In Section K., Prohibition on Re- 
disclosure (§ 2.32), SAMHSA clarifies 
that the prohibition on re-disclosure 
only applies to information that would 
identify, directly or indirectly, an 
individual as having been diagnosed, 
treated, or referred for treatment for a 
substance use disorder, such as 
indicated through standard medical 
codes, descriptive language, or both, 
and allows other health-related 
information shared by the part 2 
program to be re-disclosed, if 
permissible under other applicable 
laws. 

Disclosures to prevent multiple 
enrollments (§ 2.34) modernizes the 
terminology and definitions and moves 
the definitions to § 2.11 (Definitions). 

Medical emergencies (§ 2.51) revises 
the medical emergency exception to 
make it consistent with the statutory 
language and to give providers more 
discretion to determine when a ‘“‘bona 
fide medical emergency” exists. 

Research (§ 2.52) revises the research 
exception to permit data protected by 42 
CFR part 2 to be disclosed to qualified 
personnel for the purpose of conducting 
scientific research by a part 2 program 
or any other individual or entity that is 
in lawful possession of part 2 data if the 
researcher provides documentation of 
meeting certain requirements related to 
other existing protections for human 
research. SAMHSA also revised § 2.52 
to address data linkages to enable 
researchers holding part 2 data to obtain 
linkages to other datasets, provided that 
appropriate safeguards are in place as 
outlined in section 2.52. 

Audit and evaluation (§ 2.53) 
modernizes the requirements to include 
provisions governing both paper and 
electronic patient records. SAMHSA 
also revised § 2.53 to permit an audit or 
evaluation necessary to meet the 
requirements of a Centers for Medicare 
& Medicaid Services (CMS)-regulated 
accountable care organization (CMS- 
regulated ACO) or similar CMS- 
regulated organization (including a 
CMS-regulated Qualified Entity (QE)), 
under certain conditions. 

The other sections in 42 CFR part 2 
that are not referenced above are not 


addressed in this final rule nor were 
they discussed in the NPRM because 
SAMHSA is maintaining their content 
substantively unchanged from the 1987 
final rule. 


C. Summary of Impacts 


In the first year that the final rule is 
in effect, we estimate that the total costs 
associated with updates to 42 CFR part 
2 will be roughly $70,691,000. In year 
two we estimate that costs will be 
$17,680,000, and increase annually as a 
larger share of entities implement List of 
Disclosures requirements and respond 
to disclosure requests. Over the 10-year 
period of 2016-2025, the total 
undiscounted cost of the part 2 changes 
will be about $241 million in 2016 
dollars. When future costs are 
discounted at 3 percent or 7 percent per 
year, the total costs become 
approximately $217,586,000 or 
$193,098,000, respectively. These costs 
are presented in the tables below. 

Costs associated with the 42 CFR part 
2 final rule, include: updates to health 
IT system costs, costs for staff training 
and updates to training curricula, costs 
to update patient consent forms, costs 
associated with providing patients a list 
of entities to which their information 
has been disclosed pursuant to a general 
designation on the consent form (i.e., 
the List of Disclosures requirement), and 
implementation costs associated with 
the List of Disclosures requirements. We 
assumed that costs associated with 
modifications to existing health IT 
systems, staff training costs associated 
with updating staff training materials, 
and costs to update consent forms will 
be one-time costs the first year the final 
rule is in effect and will not carry 
forward into future years. Staff training 
costs other than those associated with 
updating training materials are assumed 
to be ongoing annual costs to part 2 
programs, also beginning in the first 
year that the final rule is in effect. The 
List of Disclosures costs are assumed to 
be ongoing annual costs to entities 
named on a consent form that disclose 
patient identifying information to their 
participants under the general 
designation. Costs associated with the 
List of Disclosures provision are limited 
to implementation costs for entities that 
chose to upgrade their health IT systems 
in order to comply with the List of 
Disclosures requirements. Several 
provisions in the final rule reference 
other lawful holders of patient 
identifying information in combination 
with part 2 programs. These other 
lawful holders must comply with part 2 
requirements with respect to 
information they maintain that is 
covered by part 2 regulations. However, 
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because this group is not clearly defined 
with respect to the range of 
organizations it may include, we are 
unable to include estimates regarding 
the number and type of these 
organizations and are only including 
part 2 programs in this analysis. 

The benefits of modernizing the part 
2 regulations is to increase 
opportunities for individuals with 
substance use disorders to participate in 
new and emerging health and health 
care models and health information 
technology (IT). The final rule will 
facilitate the sharing of information 
within the health care system to support 
new models of integrated health care 
which, among other things, improve 
patient safety while maintaining or 
strengthening privacy protections for 
individuals seeking treatment for 
substance use disorders. Moreover, as 
patients are allowed, in certain 
circumstances, to include a general 
designation in the ‘““To Whom” section 
of the consent form, we anticipate there 
will be more individuals with substance 
use disorders participating in 
organizations that facilitate the 
exchange of health information (e.g., 
health information exchanges (HIEs)) 
and organizations that coordinate care 
(e.g., ACOs and coordinated care 
organizations (CCOs)), leading to 
increased efficiency and quality in the 
provision of health care for this 
population. In addition, the revisions to 
the research provision (§ 2.52) will 
allow additional scientific research to be 
conducted that will facilitate continual 
quality improvement of part 2 programs 
and the important services they offer. 


II. Background 


A. Significant Technology Changes 


Since the promulgation of 42 CFR part 
2, significant technology changes have 
impacted the delivery of health care. 
The Office of the National Coordinator 
for Health Information Technology 
(ONC) was established as an office 
within HHS under Executive Order 
13335 on April 27, 2004. Subsequently, 
on February 17, 2009, the Health 
Information Technology for Economic 
and Clinical Health Act (HITECH Act) of 
the American Recovery and 
Reinvestment Act of 2009 (ARRA) (Pub. 
L. 111-5) expanded the Department’s 
health IT work, including the expansion 
of ONC’s authority and the provision of 
federal funds for ONC’s activities 
consistent with the development of a 
nationwide health IT infrastructure. 
This work included the certification of 
health IT; the authorization of CMS’ 
Electronic Health Record (EHR) 
Incentive Program, including payments 


to eligible providers for the adoption 
and meaningful use of certified EHR 
technology; and numerous other federal 
agencies’ programs—all of which served 
the objective of ensuring patient health 
information is secure, private, accurate, 
and available where and when needed. 
SAMHSA’s role in encouraging the use 
of health IT by behavioral health 
(substance use disorder and mental 
health) providers, included: (1) 
Collaborating with ONC to develop two 
sets of Frequently Asked Questions 
(FAQs) and convening a number of 
stakeholder meetings to provide 
guidance on the application of 42 CFR 
part 2 to HIE models; (2) a one-year pilot 
project with five state HIEs to support 
the exchange of health information 
among behavioral health and physical 
health providers; and (3) the Data 
Segmentation for Privacy (DS4P) 
initiative within ONC’s Standards and 
Interoperability (S&I) Framework 
facilitated: 

e The development of standards to 
improve the interoperability of EHRs 
containing sensitive information that 
must be protected to a greater degree 
than other health information due to 42 
CFR part 2 and similar state laws, 

e six DS4P Implementation Guide 
(IG) use case pilot projects including the 
Department of Veterans Affairs (VA)/ 
SAMHSA Pilot that implemented all the 
DS4P use cases and passed all 
conformance tests, and 

e the development of the application 
branded Consent2Share, an open-source 
health IT solution based on DS4P which 
assists in consent management and data 
segmentation. Consent2Share is 
currently being used by the Prince 
Georges County (Maryland) Health 
Department to manage patient consent 
directives while sharing substance use 
disorder information with an HIE. 

Despite SAMHSA’s efforts, some 
stakeholders continued to request 
modernization of 42 CFR part 2 out of 
concern that part 2, as written in the 
current (1987) regulation, continues to 
be a barrier to the integration of 
substance use disorder treatment and 
physical health care. As noted below, 
SAMHSA plans to release shortly an 
updated version of Consent2Share with 
improved functionality and ability to 
meet List of Disclosures requirements. 


B. Statutory and Rulemaking History 


The Confidentiality of Alcohol and 
Drug Abuse Patient Records regulations, 
42 CFR part 2, implement Section 543 
of the Public Health Service Act, 42 
U.S.C. 290dd-2, as amended by Section 
131 of the Alcohol, Drug Abuse and 
Mental Health Administration 
Reorganization Act (ADAMHA 


Reorganization Act), Public Law 102— 
321 (July 10, 1992). The regulations 
were promulgated as a final rule on July 
1, 1975 (40 FR 27802). In 1980, the 
Department invited public comment on 
15 substantive issues arising out of its 
experience interpreting and 
implementing the regulations (45 FR 
53). More than 450 public responses to 
that invitation were received and taken 
into consideration in the preparation of 
a 1983 NPRM (48 FR 38758). 
Approximately 150 comments were 
received in response to the NPRM and 
were taken into consideration in the 
preparation of the final rule released on 
June 9, 1987 (52 FR 21798). 

The Department published an NPRM 
again in the Federal Register (FR) on 
August 18, 1994 (59 FR 42561), which 
proposed a clarification of the definition 
of “Program” in the regulations. 
Specifically, the Department proposed 
to clarify that, as to general medical care 
facilities, these regulations cover only 
specialized individuals or units in such 
facilities that hold themselves out as 
providing and provide alcohol or drug 
abuse (now referred to as substance use 
disorder) diagnosis, treatment, or 
referral for treatment and which are 
federally assisted, directly or indirectly. 
On May 5, 1995, the final rule was 
released (60 FR 22296). 

SAMHSA posted a document in the 
FR on May 12, 2014, (79 FR 26929) 
announcing a public Listening Session 
planned for June 11, 2014, to solicit 
feedback on the Confidentiality of 
Alcohol and Drug Abuse Patient 
Records regulations, 42 CFR part 2. 
SAMHSA accepted written comments 
until June 25, 2014. The Listening 
Session comments are posted on the 
SAMHSA Web site at http:// 
www.samhsa.gov/about-us/who-we-are/ 
laws-regulations/public-comments- 
confidentiality-regulations. 

Prompted by the need to update and 
modernize the Confidentiality of 
Alcohol and Drug Abuse Patient 
Records regulations at 42 CFR part 2, on 
February 9, 2016, SAMHSA published 
an NPRM that proposed revisions to the 
part 2 regulations and requested public 
input on the proposed changes during a 
60-day public comment period (81 FR 
6988). Although raised in the Listening 
Session public comments, SAMHSA 
decided not to address issues pertaining 
to e-prescribing and Prescription Drug 
Monitoring Programs (PDMPs) in the 
NPRM because they were not ripe for 
rulemaking at the time due to the state 
of technology and because the majority 
of part 2 programs are not prescribing 
controlled substances electronically. As 
noted in the NPRM, SAMHSA intends 
to monitor developments in this area to 
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see whether further action may be 
warranted in the future. SAMHSA 
received 376 public comment 
submissions on the part 2 NPRM. The 
comments received were detailed, 
thoughtful, and reflective of the 
complex issues addressed and balanced 
in the part 2 regulations. This final rule 
reflects SAMHSA’s thorough 
consideration of all substantive issues 
raised in the public comments in 
response to its proposals in the NPRM. 


III. Overview of the Final Rule 


In this final rule, the Department 
finalizes the modifications to the 
Confidentiality of Alcohol and Drug 
Abuse Patient Records, 42 CFR part 2, 
including renaming it “‘Confidentiality 
of Substance Use Disorder Patient 
Records.” The modifications modernize 
the rule by facilitating electronic 
exchange of substance use disorder 
information for treatment and other 
legitimate health care purposes while 
ensuring appropriate confidentiality 
protections for records that might 
identify an individual, directly or 
indirectly, as having or having had a 
substance use disorder. 


Overview of Public Comments 


We received 376 public comments 
from medical health care providers; 
behavioral health care providers; 
combined medical/behavioral health 
care providers; HIEs, ACOs, CCOs, and 
certified patient-centered medical 
homes (CPCMHs), sometimes called 
health homes; third-party payers; 
privacy/consumer advocates; medical 
health care provider associations; 
behavioral health care provider 
associations; accrediting organizations; 
researchers; individuals (with no stated 
affiliation); attorneys (with no stated 
affiliation); HIT vendors; and state/local 
governments. The comments ranged 
from general support or opposition to 
the proposed provisions to very specific 
questions or comments regarding the 
proposed rules. 

Some comments were outside the 
scope of or inconsistent with 
SAMHSA’s legal authority regarding the 
confidentiality of substance use disorder 
patient records. Likewise, other 
comments did not pertain to specific 
proposals made by SAMHSA in the 
NPRM. In some instances, commenters 
raised policy or operational issues that 
are best addressed through 
subregulatory guidance that SAMHSA 
will consider issuing subsequent to this 
final rule. Consequently, SAMHSA did 
not address these comments in this final 
rule. 

Commenters have also provided 
SAMHSA with informative feedback on 


how lawful holders, including third- 
party payers and others within the 
healthcare industry, use health data or 
hire others to use health data on their 
behalf to provide operational services 
such as independent auditing, legal 
services, claims processing, plan pricing 
and other functions that are key to the 
day-to-day operation of entities subject 
to this rule. We have previously 
clarified in responses to particular 
questions that contracted agents of 
individuals and/or entities may be 
treated as the individual/entity. 
Questions raised by commenters during 
this rulemaking have, however, 
highlighted varying interpretations of 
the current (1987) rule’s restrictions on 
lawful holders and their contractors’ 
and subcontractors’ use and disclosure 
of part 2-covered data for purposes of 
carrying out payment, health care 
operations, and other health care related 
activities. In consideration of this 
feedback and given the critical role that 
third-party payers, other lawful holders, 
and their contractors and subcontractors 
play in the provision of health care 
services, SAMHSA is issuing a 
supplemental notice of proposed 
rulemaking (SNPRM) to seek further 
comments and information on this 
matter. 


IV. Effective Date 


In this final rule, SAMHSA has 
established a single effective date of 30 
days after the publication of the final 
rule, or February 17, 2017. On this date, 
the revised 42 CFR part 2 will replace 
the 1987 version of part 2 in the CFR 
and all part 2 programs and other lawful 
holders of patient identifying 
information must comply with all 
aspects of the regulations. In the NPRM, 
SAMHSA proposed that, with the 
exception of § 2.13(d), part 2 programs 
and other lawful holders of patient 
identifying information would have to 
comply with applicable requirements of 
the revised part 2 regulations beginning 
30 days after the publication of the final 
tule. See Section V.D.3 below for a 
discussion of ‘‘other lawful holders.” 
We proposed that entities would not 
have to comply with the List of 
Disclosures requirements of § 2.13(d) 
until two-years after the effective date of 
the final rule. As explained below, 
because the right to obtain, upon 
request, a List of Disclosures is only 
available to patients who use a general 
designation in the ‘““To Whom” section 
of the consent form, entities must only 
have the technical capability to provide 
the List of Disclosures if they take 
advantage of the general designation 
provision. Therefore, SAMHSA has 
revised the effective date from that 


proposed to avoid confusion. However, 
signed consent forms in place prior to 
the effective date of this final rule will 
be valid until they expire. Nonetheless, 
part 2 programs may update signed 
consent forms consistent with the final 
rule, prior to the effective date of the 
final rule if they so choose. Consents 
obtained after the effective date will 
need to comply with the final rule, 
regardless of whether the consents 
involve patient identifying information 
obtained prior to or after the effective 
date of this final rule. 


Public Comments 


One commenter urged that the final 
rule allow for implementation of the 
research provision (§ 2.52) immediately 
or shortly after the rule takes effect. 
Several commenters raised concerns 
about how to interpret the two-year 
delayed implementation of List of 
Disclosures and whether the general 
designation will be used during that 
period. 


SAMHSA Response 


SAMHSA acknowledges commenters’ 
confusion regarding the proposed two- 
year delayed compliance date for the 
List of Disclosures requirements. After 
considering the public comments 
received on this point, SAMHSA 
realized that such a two-year delayed 
compliance date for the requirements of 
§ 2.13(d) is not helpful. As explained in 
the ‘““To Whom” section of the part 2- 
compliant consent requirements (see 
Section V.J.2 below), an entity that 
serves as an intermediary (e.g., HIE, 
ACO, CCO) must comply with the List 
of Disclosures provision in order to 
disclose information pursuant to a 
general designation provided on the 
consent form (see 
§ 2.31(a)(4)(iii)(B)(3)(d). Therefore, an 
entity that serves as an intermediary 
would be prohibited from electing to 
disclose information pursuant to a 
general designation without the ability 
to comply with the List of Disclosures 
requirement. It would not make sense to 
implement a two-year delayed 
compliance date for the List of 
Disclosures requirements at § 2.13(d) 
because the only reason an entity that 
serves as an intermediary would have to 
comply with the List of Disclosures 
requirements would be if they wanted to 
disclose information pursuant to general 
designations that have been included in 
the ‘““To Whom” section of the patient 
consent form, which requires alerting 
patients to the fact that they have a right 
to request a list of entities to which their 
information has been disclosed (per 
§ 2.13(d)). Thus, an entity that serves as 
an intermediary is prohibited from 
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disclosing information pursuant to a 
general designation without having the 
capability to comply with the List of 
Disclosures requirements. For these 
reasons, it is not advisable to include a 
two-year delayed compliance date for 
the List of Disclosures provision. Some 
entities that serve as intermediaries as 
described by § 2.31(a)(4)(iii)(B) may 
elect never to disclose information 
pursuant to a general designation and, 
thus, would not need to comply with 
the List of Disclosures requirement. 
Those that choose to disclose 
information pursuant to general 
designations must ensure the capability 
to comply with the List of Disclosures 
requirements at § 2.13(d) before they 
disclose the information pursuant to a 
general designation. But there is no 
timeframe in which they need to 
comply; only the condition that if they 
choose to have the option of disclosing 
information pursuant to a general 
designation on a consent form, they 
must also be capable of providing a List 
of Disclosures upon request per 

§ 2.13(d). 

Regarding the suggestion to allow for 
implementation of the Research 
provision § 2.52 immediately after the 
final rule takes effect, SAMHSA 
declines to make this change. For clarity 
regarding part 2 compliance, the 1987 
part 2 final rule remains in effect until 
the effective date for the 2016 part 2 
regulations established in this final rule. 
Because of the revised definitions that 
impact the research provision, it would 
create unnecessary confusion to make 
effective § 2.52 before the rest of the 
final rule. 


V. Discussion of Public Comments and 
Final Modifications to 42 CFR Part 2 


In this section of the final rule, 
SAMHSA explains the finalized 
revisions to the part 2 regulations and 
responds to public comments received. 
If a part 2 CFR section is not addressed 
below, it is because SAMHSA did not 
propose changes to that part 2 provision 
and that this final rule maintains the 
existing language in that section. 
However, SAMHSA notes that in 
addition to the revisions discussed 
below, SAMHSA has made other 
technical, non-substantive, and 
nomenclature changes to various part 2 
provisions. Those changes are reflected 
in the regulatory text at the end of this 
rule. 


A. General Comments on the Proposed 
Rule 


1. General Feedback on the Proposed 
Rule 


a. General Support for the Proposed 
Rule 


Public Comments 


Many commenters expressed general 
support for the proposed rule, with 
some noting that the proposed rule 
would preserve the confidentiality 
rights of substance use disorder patients 
while facilitating the sharing of health 
information; would ensure that patients 
with a substance use disorder 
participate in, and benefit from, new 
integrated health care models without 
fear of putting themselves at risk of 
adverse consequences; would help 
reduce the stigma associated with 
substance use disorder; and would 
provide patients comfort in knowing 
they have control of their record. 

Several commenters expressed 
general support for the NPRM’s 
proposed part 2 changes to enhance 
integrated care and information 
exchange. Multiple commenters, with 
some stressing the need for patient 
privacy protections, suggested that 
integrated networks of care between 
medical and behavioral health services 
is current best practice and will benefit 
patients. Two commenters implied 
general support. The first of these two 
commenters stated that the current 
practice of keeping paper substance use 
records separate from the EHR system 
increases work required to maintain 
records, creates redundancies, and 
could contribute to providers missing 
critical information needed for treating 
patients. The second commenter stated 
that the current (1987) part 2 regulations 
are out of step with the health care 
system’s rapid adoption of EHRs, its 
capacity to quickly exchange 
information (e.g., HIEs), the federal 
privacy and security regulations (Health 
Insurance and Portability and 
Accountability Act [HIPAA] and 
HITECH) governing these EHRs and 
exchanges, and the increasing treatment 
of patients’ substance use in health care 
systems not covered by existing part 2 
regulations, but by HIPAA. 

Another commenter expressed 
support for the facilitation of electronic 
exchange of substance use disorder 
treatment information where the 
confidentiality protections historically 
afforded patients by part 2 are 
maintained. 

A few commenters stated that the 
proposal would help patients with 
substance use disorders benefit from 
emerging care models that require 


enhanced health information exchange 
for better care coordination (e.g., 
CPCMHs, ACOs). 


SAMHSA Response 


SAMHSA appreciates the support for 
updating the regulations. This final rule 
is intended to modernize the part 2 
regulations by facilitating the electronic 
exchange of substance use disorder 
information for treatment and other 
legitimate health care purposes while 
ensuring appropriate confidentiality 
protections for records that might 
identify an individual, directly or 
indirectly, as having or having had a 
substance use disorder. Many new 
integrated care models rely on 
interoperable health IT and these 
proposed changes are expected to 
support the integration of substance use 
disorder treatment into primary and 
other specialty care, improving the 
patient experience, clinical outcomes, 
and patient safety while at the same 
time ensuring patient choice, 
confidentiality, and privacy. Due to its 
targeted population, part 2 provides 
more stringent federal protections than 
most other health privacy laws, 
including HIPAA. 


b. General Opposition to the Proposed 
Rule 


Public Comments 


Some commenters expressed general 
opposition to the proposed rule, with 
some arguing that it would eliminate the 
right of patients to protect and control 
personal health information; would 
introduce complexity, not 
simplification; and would maintain the 
stigma surrounding drug use. One 
commenter warned the proposed rule 
would create concessions to 
institutional stakeholders, both 
providers and researchers, who find the 
consent requirements inconvenient and 
burdensome. 

Many commenters requested that part 
2 remain unchanged, with some stating 
that loosening part 2 regulations would 
dissuade substance use disorder 
patients from seeking help out of fear of 
how their information could be used 
against them or that the proposed 
regulations would not offer the intended 
protection. 

Some commenters asserted that 
maintaining a separate set of 
confidentiality restrictions aimed solely 
at substance use disorder providers and 
patients perpetuates the discrimination 
associated with substance use disorder 
and ultimately negatively impacts 
patients and the care they receive, 
suggesting that issues of substance use 
disorder information confidentiality 
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should be part of the broader general 
medical care confidentiality regulations. 
Others argued that the fear of 
discrimination is a real problem for 
many individuals suffering from a 
substance use disorder and being able to 
receive treatment without worrying that 
personal information will be leaked is 
crucial in helping these people get the 
help they need so that they can return 
to their communities as contributing 
members of society. 


SAMHSA Response 


SAMHSA wants to ensure that 
patients with substance use disorders 
have the ability to participate in, and 
benefit from, new and emerging health 
care models that promote integrated 
care and patient safety while respecting 
the legitimate privacy concerns of 
patients seeking treatment for a 
substance use disorder due to the 
potential for discrimination, harm to 
their reputations and relationships, and 


serious civil and criminal consequences. 


This approach is consistent with the 


intent of the governing statute (42 U.S.C. 


290dd—2) and regulations at 42 CFR part 
2, which is to protect the confidentiality 
of substance use disorder patient 
records. SAMHSA has added more 
flexibility to some of the consent 
provisions, including a range of “To 
Whom” consent options that includes 
the current (1987) ‘““‘To Whom” consent 
requirement, but still retained core part 
2 protections, including the prohibition 
on re-disclosure as well as requiring the 
“Amount and Kind” section of the 
consent form to include how much and 
what kind of information is to be 
disclosed, including an explicit 
description of the substance use 
disorder information that may be 
disclosed. Changes to the research 
provision also enable patients to benefit 
from advanced research protocols while 
still complying with part 2 protections 
regarding patient confidentiality. 
However, with these conflicting 
comments, as well all other comments, 
SAMHSA was guided by the governing 
statute in developing the final rule, 
which restricts disclosure without 
consent other than under a small 
number of exceptions 


2. The Proposed Rule Did Not Go Far 
Enough To Facilitate Information 
Exchange 


Public Comments 


Several commenters suggested that 
the proposed part 2 revisions did not go 
far enough to facilitate information 
exchange and data sharing. For 
example, some commenters asserted 
that the proposed regulations would 


maintain previous barriers and create 
additional barriers that impede the 
sharing of information exchange and 
care coordination necessary to 
effectively treat patients who seek care 
in a variety of settings. A few 
commenters said the proposed part 2 
revisions go beyond the protections 
intended by the statutory requirements 
in 42 U.S.C. 290dd—2 and suggested that 
the proposed changes would continue to 
decrease access to substance use 
disorder treatment and the achievement 
of positive health outcomes. 

Citing concerns about people with 
substance use disorders who visit 
multiple health care providers to obtain 
medication, one commenter advocated 
that substance use disorder health care 
records should be accessible to all 
health care facilities for the sole purpose 
of better treating and rehabilitating these 
patients. 

Other commenters requested further 
clarification on the regulations to ensure 
that coordination of care happens 
smoothly for all patients, especially 
those at the highest need of 
coordination, without unnecessary 
barriers. Citing a 2010 report from the 
President’s Council of Advisors on 
Science and Technology, a couple of 
commenters urged SAMHSA to initiate 
a broad conversation among other HHS 
agencies to develop a granular data 
specification standard that enables 
patients to be in full control of all their 
health data, not just part 2 data. 

Citing technological barriers, a 
commenter asserted that additional 
changes to part 2 are necessary to allow 
for technological solutions for sharing 
data. One commenter said new funding 
for HIEs permitted by recent CMS 
guidance could be maximized by more 
substantial revisions to part 2 that 
would encourage the inclusion of 
substance use disorder providers in 
HIEs. Expressing uncertainty as to 
whether data segmentation can be 
implemented effectively absent clear 
standards, a commenter expressed 
concern the result would be a two-tier 
system of how substance use disorder 
data are defined both by payers and by 
local and state jurisdictions that has the 
effect of having substance use disorder 
data exchanged differently depending 
on if the patient received services 
within or beyond the veil of part 2 
regulation. 

Some commenters suggested that the 
current (1987) part 2 regulation and the 
proposed revisions maintain a status 
quo of segregated substance use disorder 
information with minimal benefits to 
patients, high compliance costs, and 
deterrence for organizations to provide 
substance use treatment. Some of these 


commenters said the part 2 regulations 
keep the substance use disorder 
treatment system isolated from general 
health care providers and reduce access 
to substance use disorder treatment 
being added by general health care 
organizations, which, due to 
administrative burden and liability 
fears, are less likely to add substance 
use disorder treatment. A few of these 
commenters asserted that the part 2 
regulations have unintended 
consequences, including disadvantaging 
persons with a substance use disorder 
and treatment providers because of the 
burdens associated with constantly 
updating expiring consents. One of 
these commenters said that the burdens 
caused by the part 2 regulations are 
particularly costly because patients with 
substance use disorder are among the 
highest cost utilizers in the health care 
system. 

Some commenters asserted that 
maintaining a separate set of 
confidentiality restrictions aimed solely 
at substance use disorder providers and 
patients perpetuates the stigma 
associated with substance use disorder 
and ultimately negatively impacts 
patients and the care they receive, 
suggesting that issues of substance use 
disorder information confidentiality 
should be part of the broader general 
medical care confidentiality regulations. 

Some commenters expressed concern 
that the proposed part 2 revisions did 
not address information exchange issues 
associated with specific types of health 
care services delivery, including 
integrated delivery systems operating 
with a behavioral health organization 
unit or department; organizations that 
include affiliated entities, such as 
jointly held and operated hospital-based 
systems and health insurance plans; 
risk-based Medicaid managed care; 
social service programs integrated with 
publicly financed health delivery 
systems; and combined behavioral 
health service delivery. 

One commenter urged SAMHSA to 
include the release of previous 
substance use disorder treatment 
information from insurance companies 
to part 2 programs as disclosure 
permitted without consent under part 2. 
Another commenter expressed concern 
that SAMHSA did not propose an 
allowance under part 2 regarding 
appropriate disclosures by a health plan 
for the coordination of a health plan 
member’s care. 

Expressing concern that the proposed 
part 2 revisions do not address many of 
the issues on which SAMHSA has 
issued guidance with respect to health 
information networks, a commenter 
asserted that such guidance is outdated 
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and creates unintended obstacles to the 
desired exchange of information on 
patients with substance use disorders. 


SAMHSA Response 


The governing statute (42 U.S.C. 
290dd-2) and regulations at 42 CFR part 
2 protect the confidentiality of 
substance use disorder patient records. 
Consistent with the governing statute, 
SAMHSA wants to ensure that patients 
with substance use disorders have the 
ability to participate in, and benefit 
from new and emerging health care 
models which promote integrated care 
and patient safety while respecting the 
legitimate privacy concerns of patients 
seeking treatment for a substance use 
disorder due to the potential for 
discrimination, harm to their 
reputations and relationships, and 
serious civil and criminal consequences. 
Toward that end, SAMHSA held a 
Listening Session on June 11, 2014, to 
solicit feedback on the Confidentiality 
of Alcohol and Drug Abuse Patient 
Records regulations. All the feedback 
received from the Listening Session was 
considered and helped to inform the 
development of the proposed and final 
rules. In addition, SAMHSA 
collaborated with its federal partner 
experts in developing this final rule. 

Information exchange is addressed in 
both the applicability provision (§ 2.12) 
and the consent requirements provision 
(§ 2.31), among other places in this final 
rule. SAMHSA has added more 
flexibility to the ““To Whom” section of 
the consent form, which will give 
patients the option to release their 
records to past, current, and/or future 
treating providers. In addition, § 2.13 
requires a part 2-compliant consent 
form must list the date, event, or 
condition upon which the consent will 
expire, if not revoked before. Thus, it is 
not sufficient under part 2 for a consent 
form to merely state that that 
disclosures will be permitted until the 
consent is revoked by the patient. It is, 
however, permissible for a consent form 
to specify the event or condition that 
will result in revocation, such as having 
its expiration date be ‘upon my death.” 
The Applicability provision includes: 
“The restrictions on disclosure in these 
regulations do not apply to 
communications of information between 
or among personnel having a need for 
the information in connection with their 
duties that arise out of the provision of 
diagnosis, treatment, or referral for 
treatment of patients with substance use 
disorders if the communications are 
within a part 2 program; or between a 
part 2 program and an entity that has 
direct administrative control over the 
program.” 


With this rulemaking, SAMHSA has 
attempted to facilitate the electronic 
exchange of substance use disorder 
treatment records while ensuring 
patient privacy. SAMHSA 
acknowledges that many EHRs and HIEs 
are experiencing technical barriers to 
segmenting or redacting substance use 
disorder treatment data. As a result, 
SAMHSA has spent several years 
supporting the continued development 
of the Consent2Share application, an 
open-source health IT solution based on 
DS4P, which assists in both consent 
management and data segmentation. It 
is designed to integrate with existing 
EHR and HIE systems via the developed 
standards. Consent2Share enables 
electronic implementation of various 
sensitive health information disclosure 
policies by applying the information- 
sharing rules needed to constrain the 
disclosure of sensitive data according to 
patient preferences. SAMHSA, in 
conjunction with ONC and other federal 
partners, also continues to support the 
development of data standards and IGs 
to further reduce technical barriers in 
the field. 

Finally, SAMHSA has added 
additional information from previously 
issued FAQ guidance to the preamble 
discussion in this final rule, such as 
information about medical emergencies 
and “holds itself out,” and plans to 
issue additional subregulatory guidance 
after publication of the final rule. 

3. Final Rule Should Balance Patient 
Protections With Enhanced Information 
Exchange 


Public Comments 


Numerous commenters emphasized 
that the part 2 revisions must balance 
patient protections with enhanced 
information exchange and data sharing. 

Some commenters suggested that 
patient confidentiality should not be 
compromised by any updates to the part 
2 regulations, reasoning that the stigma 
associated with having or having had a 
substance use disorder and the fear that 
this information may be used against an 
individual would lead them to not seek 
treatment. To this end, a few of these 
commenters cautioned SAMHSA to 
remain diligent in the oversight of these 
regulations to ensure that the 
information is only being conveyed to 
the appropriate parties with the sole 
intent to improve patient care. Other 
commenters emphasized that sharing 
patient information should be solely for 
necessary medical purposes. Another 
commenter argued that the interest in 
integrating mental health care with 
physical health care should not result in 
the erosion or elimination of the 
heightened privacy protections that are 


essential for effective mental health 
treatment. 

A few commenters urged SAMHSA to 
ensure that the final rule respects 
patient choice for privacy in the 
treatment of sensitive information like 
substance use disorder treatment 
records, including the right to control 
how their records are disclosed, even for 
health and payment purposes. A 
commenter said the proposed part 2 
changes have substantially weakened 
the privacy protections surrounding the 
sharing of a patient’s substance use 
treatment data. One commenter stated 
that before an individual’s health data 
can be accessed, there should be a 
specific, legitimate reason, and a careful 
review of the patient’s set of 
permissions. In addition to suggesting 
that mental health and substance abuse 
records be blocked from view by any 
providers or staff not directly involved 
in the care and treatment of a patient, 

a commenter asserted that a patient has 
the right to have substance abuse and/ 
or mental health treatment records 
blocked from view by even their 
primary care provider or nurses. 

A couple of commenters asserted that 
it is both necessary and technologically 
possible to integrate substance use 
disorder and other health care 
information and effectively exchange 
substance use treatment data while 
maintaining the core protections of part 
2, including consent requirements and 
the prohibition on re-disclosure. 

Emphasizing the importance of 
patient confidentiality and privacy, a 
few commenters asserted that sacrificing 
the dignity and well-being of a person 
seeking help for a substance use 
disorder in the name of convenience, 
administrative efficiency, and research 
is a poor way to achieve the well-being 
of either the person in need or the 
community. One of these commenters 
recommended that SAMHSA delay the 
part 2 changes until the technology is 
available to protect persons with 
substance use disorder. 

Another commenter encouraged a 
cautious, step-wise approach to making 
substance use treatment records more 
integrated with general medical records. 
This commenter expressed concern that 
making treatment records more 
accessible to other providers would 
exacerbate the stigmatization of 
substance use disorder, particularly 
among pregnant women, which could 
lead to these individuals not seeking 
treatment for their substance use 
disorder or prenatal care. 


SAMHSA Response 


SAMHSA reiterates its intent to 
ensure that patients with substance use 
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disorders have the ability to participate 
in, and benefit from new and emerging 
health care models which promote 
integrated care and patient safety while 
respecting the legitimate privacy 
concerns of patients seeking treatment 
for a substance use disorder due to the 
potential for discrimination, harm to 
their reputations and relationships, and 
serious civil and criminal consequences. 
This approach is consistent with the 
intent of the governing statute (42 U.S.C. 
290dd-2) and regulations at 42 CFR part 
2, which is to protect the confidentiality 
of substance use disorder patient 
records. 

In response to the commenters who 
cautioned SAMHSA to remain diligent 
in the oversight of these regulations, 
SAMHSA has the statutory authority to 
promulgate 42 CFR part 2, but the 
Department of Justice retains the 
authority for enforcing 42 CFR part 2. 
Reports of violation of these regulations 
may be directed to the United States 
Attorney for the judicial district in 
which the violation occurs. The report 
of any violations of these regulations by 
an opioid treatment program may be 
directed to United States Attorney for 
the judicial district in which the 
violation occurs as well as the SAMHSA 
office for opioid treatment program 
oversight. SAMHSA has oversight of 
opioid treatment programs through 42 
CFR part 8. Related to oversight and 
compliance education, SAMHSA 
expects to issue FAQs as it has done in 
the past and develop other 
subregulatory guidance such as 
education and outreach materials. 

SAMHSA has added more flexibility 
to some of the consent provisions but 
still retained core part 2 protections, 
including prohibition on re-disclosure 
as well as consent options that would 
continue to give patients significant 
control. For example, the ‘“To Whom”’ 
section of the consent form includes an 
option permitting a general designation 
under certain circumstances. However, 
SAMHSA retained the option of listing 
the name(s) of the individual(s) to 
whom a disclosure is made. In addition, 
any disclosure made under these 
regulations must comply with the 
“Amount and Kind” of information to 
be disclosed and the purpose of the 
disclosure, as provided on a part 2- 
compliant consent form. Furthermore, 

§ 2.13(a) limits the information to be 
disclosed to that information which is 
necessary to carry out the purpose of the 
disclosure. Moreover, a patient has the 
option to withhold consent to disclosure 
of any of their substance use disorder 
information. 

SAMHSA is aware that technology 
adoption is an ongoing process and that 


many behavioral health providers have 
yet to adopt electronic health records as 
incentive payments have been 
unavailable for such purposes for these 
providers under the HITECH 
Meaningful Use Program. In addition, 
paper records are still used today in 
some part 2 programs and shared 
through facsimile (FAX). Therefore, in 
spite of advances in technology, some 
stakeholders are concerned that part 2, 
as currently written, continues to be a 
barrier to the integration of substance 
use disorder treatment and physical 
health care. Rather than waiting for the 
development and adoption of 
technology, SAMHSA decided to issue 
these final regulations to ensure that 
patients with substance use disorders 
have the ability to participate in, and 
benefit from new and emerging health 
care models which promote integrated 
care and patient safety while respecting 
the legitimate privacy concerns of 
patients seeking treatment for a 
substance use disorder due to the 
potential for discrimination, harm to 
their reputations and relationships, and 
serious civil and criminal consequences. 
SAMHSA understands the importance 
of not compromising patient protection, 
and has, in § 2.13(d) of these final 
regulations, required an entity that 
serves as an intermediary (upon request) 
to provide a List of Disclosures made 
pursuant to the general designation 
option. Further, as discussed later in 
this preamble, the general designation 
option may not be used until there is 
technical capability to provide the 
required List of Disclosures. 


4. Part 2 Should Align With the Health 
Insurance Portability and 
Accountability Act 


Public Comments 


Many commenters expressed that part 
2 should be aligned with HIPAA. Some 
commenters specifically mentioned 
various areas for HIPAA alignment, 
including the consent form; Business 
Associate Agreement standards; 
treatment, payment, and health care 
operations; patient-requested 
restrictions on disclosure; de- 
identification standards, medical 
emergencies; research; the definition of 
“Patient identifying information;” 
HIPAA penalties contained in the 
HITECH Act; and re-disclosure 
provisions. Many commenters asserted 
that aligning the regulations with 
HIPAA would help to strike an 
appropriate balance between protecting 
sensitive patient health information 
while providing coordinated, quality 
care. Many commenters urged SAMHSA 
to align part 2 with HIPAA to broaden 


the allowable sharing of data for 
purposes of care coordination and 
patient safety. 

Numerous commenters urged that 
substance use disorder records and 
treatments should be held to the same 
level of privacy as all other health 
records. Other commenters raised the 
concern of equal access, stating that 
individuals with substance use disorder 
should have the same access to the 
benefits of increased care coordination 
as individuals without substance use 
disorder. 

Commenters encouraged the broader 
harmonization of part 2, HIPAA, and 
HITECH into a single uniform set of 
standards applicable for all personal 
health information, including substance 
use disorder treatment and payment. 

Some commenters asserted that 
HIPAA is sufficient to protect patient 
privacy and part 2 is no longer 
necessary. Some commenters also 
asserted that part 2 also predates the 
development of EHR and HIEs, and 
there is pressing need to reconsider 
these rules in light of more recent 
technological and legal developments. 
Some commenters expressed concern 
that complying with both part 2 and 
HIPAA would lead to undue 
administrative burden and management 
issues across the continuum of patient 
care. 

A commenter recommended that 
SAMHSA should add the same release 
requirements for substance use disorder 
treatment as is required for 
psychotherapy notes under HIPAA, 
which are restricted from release 
without the client’s consent. According 
to the commenter, this would give 
substance use disorder patients 
protections with Business Associates 
Agreements (instead of additional rules 
and forms for Qualified Service 
Organization Agreements [QSOAs]), 
notification upon breach requirements, 
and other rights already afforded 
persons receiving medical and mental 
health care. 

Several commenters said part 2 
should be as consistent as possible with 
HIPAA, except for the prohibition on 
use for investigation, prosecution, or 
criminal charges. 


SAMHSA Response 


SAMHSA noted the many comments 
from a wide range of commenters that 
requested that SAMHSA align part 2 
provisions with HIPAA where possible. 
In some instances, SAMHSA has 
attempted to do so in this final rule to 
the extent the change was permissible 
under 42 U.S.C. 290dd—2. At the same 
time, part 2 and its governing statute are 
separate and distinct from HIPAA and 
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its implementing regulations. Because of 
its targeted population, part 2 provides 
more stringent federal protections than 
most other health privacy laws, 
including HIPAA. 

In response to comments about 
alignment of this regulation with 
HIPAA, SAMHSA has aligned the 
interpretation the definition of ‘Patient 
identifying information” with HIPAA to 
the extent feasible. In addition, 
SAMHSA revised Security for records 
(§ 2.16) to more closely align with 
HIPAA. 


B. Statutory Authority (§ 2.1) 


SAMHSA is adopting this section as 
proposed. SAMHSA has combined what 
was §§ 2.1 (Statutory authority for 
confidentiality of drug abuse patient 
records) and 2.2 (Statutory authority for 
confidentiality of alcohol abuse patient 
records) and renamed the new § 2.1, 
Statutory authority for confidentiality of 
substance use disorder patient records. 
We have re-designated §§ 2.2 through 
2.5 accordingly. In the new § 2.1, 
SAMHSA has deleted references to 42 
U.S.C. 290ee—3 and 42 U.S.C. 290dd-3. 
Sections 290dd—3 and 290ee—3 were 
omitted by Public Law 102-321 and 
combined and renamed into Section 
290dd-2, Confidentiality of records. In 
addition, we have deleted references to 
laws and regulations that have been 
repealed in § 2.21. 


Public Comments 


One commenter urged SAMHSA to 
assess whether existing statutory 
authority is adequate to modernize part 
2 regulatory requirements to keep pace 
with existing laws and industry 
developments while also protecting 
privacy, and to discuss necessary 
statutory changes in the final rule. 
Further, the commenter recommended 
that SAMHSA encourage Congress to 
convene public hearings to evaluate 
proposals for statutory changes and 
delay issuing a final rule if pending 
legislative proposals are enacted that 
change the legal landscape for substance 
use disorder information and related 
protections. 

A commenter urged SAMHSA to 
address the congressional action that 
may be needed to effectively expand the 
ability to provide coordinated services, 
such as including health and human 
services agencies’ field staff clearly into 
the definition of treatment terms. A few 
commenters suggested that the statutory 
authority underlying the part 2 
regulations (42 U.S.C. 290dd—2) should 
be revised. Another commenter asserted 
that the 1992 confidentiality statute 
should be reformed to afford patients 
greater protections against unlawful 


disclosure of their substance use 
disorder treatment, limit the use of 
information shared for non-health 
purposes, provide meaningful 
enforcement and penalties, and more 
effectively prevent discrimination. 
Another commenter recommended that 
modifications should be made to HIPAA 
to incorporate special protections and 
limitations for substance use 
information and that the part 2 
regulations should be rescinded. If the 
intent of the part 2 changes is to prevent 
inappropriate adverse consequences 
from the disclosure of substance use 
disorder health data, a commenter 
suggested that those specific adverse 
consequences should be targeted with 
legislation reform, rather than providing 
a blanket privacy allowance that hides 
medical information from providers. 


SAMHSA Response 


SAMHSA does not have the authority 
to repeal or revise the governing statute 
for the regulations codified at 42 CFR 
part 2 nor any other statute, as that 
power is given to Congress. The part 2 
authorizing statute, 42 U.S.C. 290dd-2, 
gives the Secretary broad authority to 
carry out the confidentiality provisions 
therein, but to promulgate requirements 
to: (1) Carry out the purposes of the 
legislation; (2) prevent its 
circumvention or evasion; and (3) 
facilitate its compliance. These part 2 
revisions were drafted to further these 
three purposes while, to the extent 
allowable under the legislation, 
permitting disclosure and use to 
increase access to treatment and 
improve treatment services. The intent 
of the part 2 regulations and its 
governing statute (42 U.S.C. 290dd—2) is 
to protect the confidentiality of 
substance use disorder patient records. 
Because individuals seeking treatment 
for substance use disorders may 
experience a host of negative 
consequences, including discrimination, 
harm to their reputations and 
relationships, and possibly serious civil 
and criminal consequences should 
information regarding their treatment be 
improperly disclosed, there is a specific 
need for strong privacy protections for 
substance use disorder records. 


C. Reports of Violations (§ 2.4) 


SAMHSA is adopting this section as 
proposed. We have revised the 
requirement of reporting violations of 
these regulations by a methadone 
program to the FDA (§ 2.5(b)). The 
authority over methadone programs 
(now referred to as opioid treatment 
programs) was transferred from the FDA 
to SAMHSA in 2001 (66 FR 4076). 
Suspected violations of 42 CFR part 2 by 


opioid treatment programs may be 
reported to the U.S. Attorney’s Office for 
the judicial district in which the 
violation occurred, as well as the 
SAMHSA office responsible for opioid 
treatment program oversight. 


Public Comments 


SAMHSA received no public 
comments on this section. This section 
of the final rule is adopted as proposed. 


D. Definitions (§ 2.11) 


SAMHSA has consolidated all of the 
definitions in 42 CFR part 2, with the 
exception the definition of the term 
“Federally assisted,” into a single 
section at § 2.11. SAMHSA has retained 
the definition of the term ‘‘Federally 
assisted” in § 2.12 (Applicability) for the 
purpose of clarity because it is key to 
understanding the applicability of the 
part 2 regulations. SAMHSA is adopting 
these structural changes as proposed in 
the NPRM. Specific definitions are 
discussed in the sections below. If a part 
2 definition is not addressed below, it 
is because SAMHSA did not propose or 
make substantive changes to that 
definition. However, as discussed 
below, SAMHSA updated the terms in 
those definitions, as appropriate (e.g., to 
replace ‘“‘program’’ with “‘part 2 
program,’ and when “alcohol abuse’’ 
and “drug abuse” were used collectively 
to replace it with ‘‘substance use 
disorder’’). The definitions in the 
regulatory text of this final rule reflect 
these changes. 


1. New Definitions 
a. Part 2 Program 


SAMHSA is adopting this definition 
as proposed. SAMHSA defines a ‘‘Part 
2 program”’ as “a federally assisted 
program (federally assisted as defined in 
§ 2.12(b) and program as defined in 
§ 2.11). See § 2.12(e)(1) for examples.” 
We have retained the examples 
provided in § 2.12(e)(1) of the current 
(1987) regulations, with minor 
clarifications in § 2.12(e)(1), because 
they explain the part 2 applicability and 
coverage. SAMHSA has replaced the 
term ‘“‘program” with “part 2 program,” 
where appropriate. For example, we 
have revised the definition of QSO, 
including replacing ‘‘program’”’ with 
“part 2 program,” which is discussed in 
depth below (see Section V.D.2.i., 
Existing Definitions). We also replaced 
“program” with ‘‘part 2 program” in 
several other definitions, while making 
no additional changes. 

While a couple of commenters 
purported to address the proposed 
definition of “Part 2 program,” the 
nature of their comments made clear 
that their underlying concern was how 


6062 


Federal Register/Vol. 82, No. 11/Wednesday, January 18, 2017/Rules and Regulations 








SAMHSA defined ‘‘Program”’ for 
purposes of part 2. For this reason, these 
comments are addressed in the 
discussion of the definition of 
“Program” below (see Section V.D.2.h). 


b. Part 2 Program Director 


SAMHSA is adopting this definition 
as proposed, except for a non- 
substantive technical edit. Because of 
the addition of the “Part 2 program”’ 
definition, we have defined a ‘‘Part 2 
program director’ as: 

e In the case of a part 2 program that 
is an individual, that individual; and 

e In the case of a part 2 program that 
is an entity, the individual designated as 
director or managing director, or 
individual otherwise vested with 
authority to act as chief executive officer 
of the part 2 program. 

We have deleted the definition of 
“Program Director.” 


Public Comments 


SAMHSA received no public 
comments on this definition. This 
section of the final rule is adopted as 
proposed. 


c. Substance Use Disorder 


SAMHSA is adopting this definition 
as proposed, except to remove the final 
sentence, ‘‘Also referred to as substance 
abuse.” Throughout this rule, SAMHSA 
made revisions to refer to alcohol abuse 
and drug abuse collectively as 
“substance use disorder’ but, when 
referring to the part 2 governing statute, 
we use ‘“‘substance abuse”’ since that is 
the term used in 42 U.S.C. 290dd—2. 
SAMHSA also uses the term “‘substance 
abuse” when discussing public 
comments and other publications that 
use that term. For consistency, 
SAMHSA also revised the title of 42 
CFR part 2 from ‘“‘Confidentiality of 
Alcohol and Drug Abuse Patient 
Records” to “Confidentiality of 
Substance Use Disorder Patient 
Records.” SAMHSA has replaced 
“alcohol or drug abuse’’ with 
“substance use disorder” in several 
definitions. 

While SAMHSA has deleted the 
definitions of “‘Alcohol abuse”’ and 
“Drug abuse,’’ we continued to use the 
terms ‘“‘alcohol abuse”’ and ‘‘drug abuse”’ 
when referring to 42 U.S.C. 290dd-3 
and 42 U.S.C. 290ee—3 (omitted by Pub. 
L. 102-321 and combined and renamed 
into Section 290dd—2), respectively, 
because they are the terms used in the 
statutes. 

SAMHSA is defining the term 
“Substance use disorder” in sucha 
manner as to cover substance use 
disorders that can be associated with 
altered mental status that has the 


potential to lead to risky and/or socially 
prohibited behaviors, including, but not 
limited to, substances such as, alcohol, 
cannabis, hallucinogens, inhalants, 
opioids, sedatives, hypnotics, 
anxiolytics, and stimulants. In addition, 
the “‘Substance use disorder’ definition 
clarifies that, for the purposes of these 
regulations, the term excludes both 
tobacco and caffeine. 


Public Comments 


Several commenters expressed 
support for the newly defined term 
“substance use disorder’ to replace 
references to alcohol and drug abuse. 
One commenter requested that 
SAMHSA clarify the scope of substance 
use disorder and what constitutes 
substance use treatment. Another 
commenter suggested that, in the 
definition of substance use disorder, 
protected data should be directly related 
to an objective measure, such as 
information related to specific payment 
or clinical diagnosis codes submitted in 
connection with reimbursement for 
services. 


SAMHSA Response 


The final rule adopts the definition of 
substance use disorder as proposed, 
except that the parenthetical of the 
proposed definition is not adopted in 
the final rule. Use of the term is 
consistent with recognized classification 
manuals, current diagnostic lexicon, 
and commonly used descriptive 
terminology. Moreover, SAMHSA 
declines to define substance use 
disorder treatment by specific billing or 
diagnostic codes in in the final rule as 
these codes are subject to frequent 
revision. 


d. Treating Provider Relationship 


SAMHSA is modifying the proposed 
definition of “‘Treating provider 
relationship” slightly to account for the 
situation of involuntary commitment 
and other situations where a patient is 
diagnosed, evaluated and/or treated, but 
may not have actually consented to such 
care, as discussed in greater detail 
below. In summary, a treating provider 
relationship means that, regardless of 
whether there has been an actual in- 
person encounter: 

e A patient is, agrees to, or is legally 
required to be diagnosed, evaluated, 
and/or treated, or agrees to accept 
consultation, for any condition by an 
individual or entity, and; 

e The individual or entity undertakes 
or agrees to undertake diagnosis, 
evaluation, and/or treatment of the 
patient, or consultation with the patient, 
for any condition. 


As explained in the NPRM, the term 
“agrees” as used in the definition does 
not necessarily imply a formal written 
agreement. An agreement might be 
evidenced, among other things, by 
making an appointment or by a 
telephone consultation. 

It is also important to note that, based 
on the definition of treating provider 
relationship, SAMHSA considers an 
entity to have a treating provider 
relationship with a patient if the entity 
employs or privileges one or more 
individuals who have a treating 
provider relationship with the patient. 


Public Comments 


A few commenters expressed support 
for the proposed definition of “treating 
provider relationship.’’ One commenter 
supported the definition and added that 
this type of relationship could be a 
result of any action taken to schedule, 
refer, or order services that are related 
to health services to be provided in the 
future. 

Other commenters provided 
suggestions to improve the definition, 
including specifying entities involved in 
identifying, evaluating, and referring for 
treatment any persons in need of 
substance use disorder services; adding 
related services, including social 
services, and consultation; accounting 
for patients who cannot agree or consent 
to the relationship; and clarifying that 
an individual’s designated treating 
provider is also a treating provider for 
part 2 purposes, even before the 
patient’s first appointment. A few 
commenters requested that HIEs, health 
plans, and organizations that provide 
care coordination be added to the 
definition, or that comparable 
definitions be provided for these 
entities. 

A few commenters objected to the 
consent requirements limiting recipients 
to entities with a “treating provider 
relationship,’ and suggested that the 
requirement be eliminated, or the term 
be redefined to include entities that 
provide care management. A few 
commenters also disagreed with the 
interpretation that equates making an 
appointment with an agreement to 
diagnose or treat. 

Some commenters raised a number of 
questions about the definition, 
including whether the definition applies 
to each hospital in a system or to the 
system as a whole; whether the 
definition applies to Medicaid managed 
care programs with mandatory 
enrollment; whether a care coordination 
entity can form a treating provider 
relationship with an individual; and 
whether ancillary providers, such as 
laboratories, pharmacies, therapists, 
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counselors, or mental health specialists, 
fall within the definition of treating 
provider relationship. 


SAMHSA Response 


A treating provider relationship, as 
defined in this final rule, begins when 
an individual seeks or receives health- 
related assistance from an individual or 
entity who may provide assistance. 
However, the relationship is clearly 
established when the individual or 
entity agrees to undertake diagnosis, 
evaluation, and/or treatment of the 
patient, or consultation with the patient, 
and the patient agrees to be treated, 
whether or not there has been an actual 
in-person encounter between the 
individual or entity and the patient. 
When a patient is not regarded as being 
legally competent under the laws of 
their jurisdiction, such as when a 
patient is subject to an involuntary 
commitment (i.e., formally committed 
for behavioral health treatment by a 
court, board, commission, or other legal 
authority), a treating provider 
relationship may be established when a 
patient is, agrees to, or is legally 
required to be provided consultation, 
diagnosis, evaluation, and/or treatment 
by an individual or entity. A treating 
provider relationship may be 
established whether or not there has 
been an actual in-person encounter 
between the individual or entity and 
patient. A treating provider relationship 
with a patient may be established by 
any member of the health care team as 
long as the relationship meets the 
definition of “Treating provider 
relationship.” SAMHSA believes that 
further specification in this definition is 
unnecessary. 


e. Withdrawal Management 


SAMHSA is adopting this definition 
as proposed. SAMHSA has removed the 
definition of ‘‘Detoxification treatment” 
and replaced it with the definition of 
the currently acceptable term 
“Withdrawal management” as indicated 
in the American Society of Addiction 
Medicine (ASAM) Principles of 
Addiction Medicine, 5'* edition.1 


Public Comments 


One commenter supported replacing 
the term ‘Detoxification treatment” 
with the term ‘Withdrawal 
management.” 


SAMHSA Response 
SAMHSA appreciates this support. 


1 ASAM Principles of Addiction Medicine, 5th 
edition, 2014, Richard Ries et al., editor. http:// 
www.asam.org/quality-practice/essential-textbooks/ 
principles-of-addiction-medicine (last accessed 
Aug. 1, 2016). 


2. Existing Definitions 
a. Central Registry 


SAMHSA is adopting this definition 
as proposed. SAMHSA has updated the 
definition of “Central registry” to 
incorporate currently accepted 
terminology. 


Public Comments 


One commenter stated that the NPRM 
preamble described the proposed 
revisions to the definition of ‘‘central 
registry” as changes to “update 
terminology to make the definition 
clearer,” rather than detailing the 
proposed changes to the definition, so 
there was insufficient information for 
public comment. 


SAMHSA Response 


Exact language for the definition of 
“central registry’ was provided in the 
NPRM regulation text and is being 
adopted as proposed. 


b. Disclose or Disclosure 


SAMHSA is modifying the proposed 
definition of “Disclose” to specifically 
cover diagnosis, treatment, and referral 
for treatment for substance use disorder, 
as follows: “Disclose means to 
communicate any information 
identifying a patient as being or having 
been diagnosed with a substance use 
disorder, having or having had a 
substance use disorder, or being or 
having been referred for treatment of a 
substance use disorder either directly, 
by reference to publicly available 
information, or through verification of 
such identification by another person.” 
We have updated terminology and made 
the definition clearer. SAMHSA has 
defined only one word, “Disclose,” 
since it is implied that the same 
definition applies to other forms of the 
word. 


Public Comments 


A commenter encouraged SAMHSA 
to develop guidance and promote 
standards adoption for the identification 
of part 2 data so that the 
implementation and applicability of 
concrete restrictions and obligations can 
be applied to the disclosure of such 
data. Another commenter urged 
coordination between the definitions of 
“disclosure” of a substance use disorder 
and a current or former ‘“‘patient,”’ 
because someone may have a past 
substance use disorder but may not have 
been a former patient. A commenter 
stated that the NPRM preamble 
described the proposed revisions to the 
definition of “disclosure” as changes to 
“update terminology and make the 
definition clearer,”’ rather than detailing 


the proposed changes to the definition, 
so there was insufficient information for 
public comment.SAMHSA Response 


With regard to developing 
subregulatory guidance and promoting 
standards adoption, SAMHSA is an 
organizational member of Health Level 
7 (HL7) and is working to ensure that 
health IT standards support the needs of 
behavioral health treatment patients and 
providers. SAMHSA has supported the 
creation of several HL7 standards, 
including the Composite Privacy 
Consent Directive Domain Analysis 
Model to capture the requirement of 
states and federal agencies. Those 
requirements were reflected in the IG for 
Clinical Document Architecture Release 
2 (CDA R2) to provide a standard-based 
electronic representation of a consent to 
support the management of consent 
directives and policies. 


In response to comments urging 
coordination between the definition of 
“disclosure” and a current or former 
patient, SAMHSA has expanded the 
definition of “disclose” to include any 
information identifying a patient as 
“being or having been diagnosed with a 
substance use disorder, having or 
having had a substance use disorder, or 
being or having been referred for 
treatment of a substance use disorder.” 
Exact language for the definition of 
“disclosure” was provided in the NPRM 
regulatory text and is being adopted as 
proposed. We note that to the extent an 
individual may have had a past 
substance use disorder diagnosis, but 
never sought or received diagnosis, 
treatment, or referral for substance use 
disorder treatment, the definition of 
patient would not cover such individual 
and the part 2 regulations would not 
apply to that individual’s health 
information unless and until the 
individual is a patient as defined in 
these regulations. 


c. Maintenance Treatment 


SAMHSA is modifying this definition 
from what was proposed by replacing 
the term ‘‘pharmacotherapy” with the 
phrase ‘‘long-term pharmacotherapy” 
for purposes of clarity to read as 
follows: ‘“Maintenance treatment means 
long-term pharmacotherapy for 
individuals with substance use 
disorders that reduces the pathological 
pursuit of reward and/or relief and 
supports remission of substance use 
disorder-related symptoms.” As 
compared to the 1987 final rule 
definition of ‘‘Maintenance treatment,” 
SAMHSA updated terminology in the 
definition and moved it from § 2.34 to 
§ 2.11. 
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Public Comments 


A commenter stated that the NPRM 
preamble described the proposed 
revisions to the definition of 
“maintenance treatment” as changes to 
“update terminology and make the 
definition clearer,” rather than detailing 
the proposed changes to the definition, 
so there was insufficient information for 
public comment. 


SAMHSA Response 


Exact language for the proposed 
definition of “maintenance treatment” 
was provided in the NPRM regulation 
text at 81 FR 7014. 


d. Member Program 


In response to comments received, 
SAMHSA has revised the definition of 
“(Member program,” by replacing a 
reference to a specific geographic 
distance, so it reads as follows: 
“Member program means a withdrawal 
management or maintenance treatment 
program which reports patient 
identifying information to a central 
registry and which is in the same state 
as that central registry or is in a state 
that participates in data sharing with the 
central registry of the program in 
question.” 


Public Comments 


A commenter asserted that the 125- 
mile distance to a state border limitation 
contained within the definition of 
“member program” does not adequately 
recognize the geographic realities of 
states with significant rural and frontier 
areas, and the commenter strongly 
suggested that it be eliminated. 


SAMHSA Response 


In response to the comment, 
SAMHSA has removed the distance 
from the definition to address the 
concerns about rural areas and replaced 
it with ‘‘is in a state that participates in 
data sharing with the central registry of 
the program in question.’’ We removed 
the distance requirement from the 
definition of ““Member program”’ to 
reflect that in some states (e.g., with 
rural areas) the distance from the border 
of the state in which the central registry 
is located may exceed 125 miles. 


e. Patient 


SAMHSA is adopting this definition 
as proposed. To emphasize that the term 
“Patient” refers to both current and 
former patients, SAMHSA has revised 
the definition as follows: ‘‘Patient 
means any individual who has applied 
for or been given diagnosis, treatment, 
or referral for treatment for a substance 
use disorder at a part 2 program. Patient 
includes any individual who, after 


arrest on a criminal charge, is identified 
as an individual with a substance use 
disorder in order to determine that 
individual’s eligibility to participate in 
a part 2 program. This definition 
includes both current and former 
patients.” 


Public Comments 


One comment opposed the inclusion 
of former patients in the definition 
because retrospective outcome studies 
would be difficult to conduct because 
many patients relocate or their contact 
information becomes otherwise 
unobtainable for purposes of obtaining 
consent to disclose and use patient 
identifying information. One commenter 
opposed including in the definition 
individuals who “‘applied for’’ but did 
not receive a diagnosis and also asked 
who makes the identification of an 
individual with a substance use 
disorder. Another commenter suggested 
that the definition should include 
individuals participating in prevention 
programs and recovery support 
programs. A commenter asked whether 
the definition includes an individual 
who has been involuntarily committed 
to a program for treatment and 
suggested that the final rule clarify that 
such an individual is considered a 
patient and entitled to part 2’s 
protections. 


SAMHSA Response 


Regarding the opposition to including 
former patients in the definition of 
“Patient” because retrospective outcome 
studies would be difficult to conduct, 
this concern appears to be based on a 
misunderstanding that a consent 
requires a specific expiration date. A 
part 2-compliant consent form must list 
the date, event, or condition upon 
which the consent will expire, if not 
revoked before. Therefore, it would be 
permissible for a consent form to specify 
the event or condition that will result in 
revocation, such as having its expiration 
date be “upon my death.” 
Consequently, it is possible for 
researchers to obtain consents that 
would permit retrospective outcome 
studies. 

Regarding the inclusion of ‘‘applied 
for’ in the definition of ‘‘Patient,’’ this 
definition has not changed from that 
included in the 1987 final rule except to 
replace ‘“‘alcohol and drug abuse” with 
“substance use disorder.” SAMHSA 
declines to make the recommended 
change since no other concerns 
regarding the inclusion of ‘‘applied for’’ 
have been received in over 29 years. 
Patients who are involuntarily 
committed to participating in or 
receiving substance use disorder 


services from a part 2 program are 
covered by the definition. SAMHSA 
declines to accept the suggestion that 
the definition should be expanded to 
cover patients in prevention programs 
as such programs are not covered by the 
definition of a part 2 program. 


f. Patient Identifying Information 


SAMHSA is modifying the definition 
as proposed to: (1) Clarify that SAMHSA 
intends for the identifiers listed in the 
HIPAA Privacy Rule at 45 CFR 
164.514(b)(2)(i) that are not already 
included in the definition of patient 
identifying information to meet the “‘or 
similar information”’ standard; (2) delete 
the word “‘publicly”’ from the phrase 
“can be determined with reasonable 
accuracy either directly or by reference 
to other publicly available information”’; 
and (3) to revise the last sentence as 
follows: for internal use only by the part 
2 program, if that number does not 
consist of, or contain numbers (such as 
a social security, or driver’s license 
number) that could be used to identify 
a patient with reasonable accuracy from 
sources external to the part 2 program.” 

SAMHSA intends for the identifiers 
listed in the HIPAA Privacy Rule at 45 
CFR 164.514(b)(2)(i) that are not already 
included in the definition of ‘‘Patient 
identifying information” to meet the 
following clause: ‘or similar 
information.’ Those HIPAA Privacy 
Rule identifiers are: 

(1) Name; 

(2) All geographic subdivisions 
smaller than a [s]tate, including street 
address, city, county, precinct, zip code, 
and their equivalent geocodes, except 
for the initial three digits of a zip code 
if, according to the current publicly 
available data from the Bureau of the 
Census: 

(i) The geographic unit formed by 
combining all zip codes with the same 
three initial digits contains more than 
20,000 people; and 

(ii) The initial three digits of a zip 
code for all such geographic units 
containing 20,000 or fewer people is 
changed to 000; 

(3) All elements of dates (except year) 
for dates directly related to an 
individual, including birth date, 
admission date, discharge date, date of 
death; and all ages over 89 and all 
elements of dates (including year) 
indicative of such age, except that such 
ages and elements may be aggregated 
into a single category of age 90 or older; 

(4) Telephone numbers; 

) Fax numbers; 

) Electronic mail addresses; 

) Social security numbers; 

) Medical record numbers; 

) 


(5 
(6 
(7 
(8 
(9) Health plan beneficiary numbers; 
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(10) Account numbers; 

(11) Certificate/license numbers; 

(12) Vehicle identifiers and serial 
numbers, including license plate 
numbers; 

(13) Device identifiers and serial 
numbers; 

(14) Web Universal Resource Locators 
(URLs); 

(15) Internet Protocol (IP) address 
numbers; 

(16) Biometric identifiers, including 
finger and voice prints; 

(17) Full face photographic images 
and any comparable image; or 

(18) Any other unique identifying 
number, characteristic, or code. 


Public Comments 


A few commenters urged that the 
definition of “Patient identifying 
information” be aligned with the 
“protected health information,”’ 
including the patient identifiers, under 
HIPAA. One commenter recommended 
that telephone numbers and email 
addresses should be mentioned because 
they are accessible by electronic means. 
Another commenter suggested that 
SAMHSA delete the reference to 
publicly available information; use a 
phrase such as, “information with 
respect to which there is a reasonable 
basis to believe that the information can 
be used to identify the individual’; and 
mention other identifiers assigned to an 
individual, including credit card 
numbers, driver’s license numbers, and 
automobile license numbers. 


SAMHSA Response 


The HIPAA Privacy Rule, at 45 CFR 
164.514(b)(2)(i), enumerates 18 
identifiers that make health information 
individually identifiable. SAMHSA 
considers any of these identifiers to be 
patient identifying information either 
because SAMHSA has explicitly listed 
the identifier in the definition of patient 
identifying information in 42 CFR part 
2 or because SAMHSA considers the 
identifier to be ‘similar information’ 
(See § 2.11 Definitions). Also as 
suggested, SAMHSA has deleted the 
word ‘‘publicly’’ from the phrase “‘can 
be determined with reasonable accuracy 
either directly or by reference to other 
publicly available information;”’ 


g. Person 


SAMHSA is adopting this definition 
as proposed. SAMHSA has revised the 
definition of “Person” to clearly 
indicate that ‘‘Person”’ is also referred to 
as individual or entity. 


Public Comments 


A commenter urged SAMHSA to 
recognize an “Affiliated Covered Entity”’ 


under HIPAA as an “entity” in the 
definition of ‘‘Person.”’ Another 
commenter asked that the definition 
specify that it includes limited liability 
companies. A commenter suggested 
removing the redundant parenthetical at 
the end of the proposed definition. 


SAMHSA Response 


SAMHSA has determined that no 
change is needed in response to the 
comments; the definition covers any 
legal entity. SAMHSA declines to delete 
the clarifying parenthetical at the end of 
the definition since the terms 
“individual” and “entity’’ are more 
intuitive than the term ‘‘person,” as 
defined in these regulations. 


h. Program 


SAMHSA decided not to finalize its 
proposed changes to the definition of 
“Program,” but did make minor updates 
to the terminology in the text. We are, 
however, finalizing certain other minor 
changes to the proposed definition to 
update terminology so that it is 
consistent with current best practice. 

First, SAMHSA moved the reference 
to examples from the definition of 
“Program” to the definition of “Part 2 
program.” 

Second, we retain the language 
changes from drug and/or alcohol abuse 
to substance use disorder. 

Finally, as stated in the NPRM, 
SAMHSA clarifies that paragraph (1) of 
the definition of ‘“Program”’ would not 
apply to ‘‘general medical facilities’. 
However, paragraphs (2) and (3) of the 
definition of ‘Program’ would apply to 
“general medical facilities.”’ 


Public Comments 


A few commenters expressed support 
for the revised definition of “‘Program.”’ 

However, many commenters generally 
opposed the proposed revision to the 
definition of “Program.” The reasons 
primarily related to interpretations that 
SAMHSA did not intend to imply. 
Many commenters asked that SAMHSA 
not call out general medical practices as 
a separate category of provider excluded 
from paragraph one but included in 
paragraphs two and three of the 
definition of program. 

Some commenters requested 
clarification in various areas, including 
the meaning and examples of “holds 
itself out;” determining “primary 
function;”’ treatment of behavioral 
health clinics and community mental 
health centers; roles of general medical 
or dental practices that engage in 
screening, brief intervention, and 
referrals for treatment (SBIRT) activities, 
and co-located substance abuse/mental 
health counselors; whether covered part 


2 facilities provide some, primarily 
provide, or only provide substance use 
disorder diagnosis, treatment, and 
referral to treatment; physicians who 
prescribe buprenorphine products and 
pharmacies that fill those prescriptions; 
a general psychiatric unit that also 
provides substance use disorder 
treatment; and offering patients 
integrated behavioral health care in a 
primary care setting. 

Some commenters suggested limiting 
programs to those that meet a minimum 
standard, are specifically licensed, 
credentialed, or accredited, such as state 
licensure. Several commenters asked 
that SAMHSA provide an exception for 
pharmacists and pharmacies or dentists. 
Lastly, a commenter said the rule 
should include rehabilitation centers as 
medical facilities. 


SAMHSA Response 


Based on the number and type of 
comments received regarding including 
general medical practices in the 
Program definition, SAMHSA has 
decided not to finalize the general 
medical practices language in the final 
rule. The number and type of comments 
led SAMHSA to believe separating out 
general medical practices from general 
medical facilities was more confusing 
than clarifying. Most commenters 
indicated a belief that SAMHSA was 
expanding the definition of program to 
include individuals and entities that 
had not previously been covered. As 
we've previously noted in our publicly 
available FAQ guidance, a practice 
comprised of primary care providers 
could be considered a ‘‘general medical 
facility and be subject to 42 CFR part 2 
if they are both “federally assisted” and 
meet the definition of a program under 
42 CFR 2.11. Nevertheless, consistent 
with the definition of a “program”: 


1. Ifa provider is not a general medical 
care facility, then the provider meets the part 
2 definition of a “Program” if it is an 
individual or entity who holds itself out as 
providing, and provides substance use 
disorder diagnosis, treatment, or referral for 
treatment. 

2. If the provider is an identified unit 
within a general medical facility, it is a 
“Program” if it holds itself out as providing, 
and provides, substance use disorder 
diagnosis, treatment, or referral for treatment. 

3. If the provider consists of medical 
personnel or other staff in a general medical 
facility, it is a “Program” if its primary 
function is the provision of substance use 
disorder diagnosis, treatment, or referral for 
treatment and is identified as such 
specialized medical personnel or other staff 
by the general medical facility. 


SAMHSA’s FAQ guidance further 
addresses the issue of what constitutes 
a general medical facility. This FAQ 
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guidance clarifies that, while the term 
“general medical care facility” is not 
defined in the definitions section of 42 
CFR 2.11, hospitals, trauma centers, or 
federally qualified health centers would 
generally be considered “general 
medical care” facilities. Therefore, 
primary care providers who work in 
such facilities would only meet part 2’s 
definition of a program if (1) they work 
in an identified unit within such general 
medical facility that holds itself out as 
providing, and provides, substance use 
disorder diagnosis, treatment or referral 
for treatment, or (2) the primary 
function of the provider is substance use 
disorder diagnosis, treatment or referral 
for treatment and they are identified as 
providers of such services. In addition, 
a practice comprised of primary care 
providers could be considered a 
“general medical facility.”” As such, 
only an identified unit within that 
general medical care facility which 
holds itself out as providing and 
provides substance use disorder 
diagnosis, treatment or referral for 
treatment would be considered a 
“program” under the definition in the 
part 2 regulations. Medical personnel or 
staff within that facility whose primary 
function is the provision of those 
services and who are identified as such 
providers would also qualify as a 
“program” under the definition in the 
part 2 regulations. Other units or 
practitioners within that general 
medical care facility would not meet the 
definition of a part 2 program unless 
such units or practitioners also hold 
themselves out as providing and 
provide substance use disorder 
diagnosis, treatment or referral for 
treatment. 

SAMHSA also clarifies that the 
program definition does not 
categorically exclude buprenorphine 
providers. However, holding a waiver to 
prescribe buprenorphine or holding a 
waiver and prescribing buprenorphine 
as part of primary care practice also 
does not lead to categorical inclusion of 
providers in the definition of a part 2 
program; such determinations are fact- 
specific. Also, a health care provider 
that does not otherwise meet the 
definition of a part 2 program would not 
become a program simply because they 
provided screening, brief intervention, 
and/or referral to treatment within the 
context of general health care. SBIRT is 
discussed in further detail under 
Section V.E (Applicability) below. 

Regarding comments on the meaning 
of ‘‘primary function,” SAMHSA did 
not propose a definition of ‘‘primary 
function” because it has not historically 
received many, if any, questions on its 
meaning. 


Consistent with previously published 
FAQ guidance, we reiterate that ““Holds 
itself out” means any activity that 
would lead one to reasonably conclude 
that the individual or entity provides 
substance use disorder diagnosis, 
treatment, or referral for treatment, 
including but not limited to: 

e Authorization by the state or federal 
government (e.g. licensed, certified, 
registered) to provide, and provides, 
such services, 

e Advertisements, notices, or 
statements relative to such services, or 

e Consultation activities relative to 
such services. 


i. Qualified Service Organization 


SAMHSA is adopting the definition of 
“Qualified Service Organization” as 
proposed. SAMHSA has revised the 
definition of QSO to include population 
health management in the list of 
examples of services a QSO may 
provide. SAMHSA also revised the term 
“medical services” as listed in the 
examples of permissible services offered 
by a QSO to clarify that it is limited to 
“medical staffing services.” SAMHSA 
made this revision to emphasize that 
QSOAs should not be used to avoid 
obtaining patient consent. 


Public Comments 


A large number of commenters 
supported the proposed QSO definition, 
particularly the addition of ‘‘population 
health management.”’ Many commenters 
requested a clarification or a narrow 
definition of ‘population health 
management.” 


SAMHSA Response 


SAMHSA provided guidance in the 
NPRM preamble regarding what 
constitutes population health 
management services. Specifically, 
population health management refers to 
increasing desired health outcomes and 
conditions through monitoring and 
identifying individual patients within a 
group. To achieve the best outcomes, 
providers must supply proactive, 
preventive, and chronic care to all of 
their patients, both during and between 
encounters with the health care system. 
For patients with substance use 
disorders, who often have comorbid 
conditions, proactive, preventive, and 
chronic care is important to achieving 
desired outcomes. Any QSOA executed 
between a part 2 program and an 
organization providing population 
health management services would be 
limited to the office(s) or unit(s) 
responsible for population health 
management in the organization (e.g., 
the ACO, CCO, CPCMH, or managed 
care organization [MCO]), not the entire 


organization and not its participants 
(e.g., case managers, physicians, 
addiction counselors, hospitals, and 
clinics). However, the presence of a 
QSOA does not preclude disclosures of 
patient identifying information to other 
individuals within these organizations 
based on a valid part 2-compliant 
consent. 


Public Comments 


Some commenters requested 
clarification about the definition, such 
as whether an HIE could be considered 
a QSO; whether the definition, which 
includes “‘an individual,’ can include 
members of the covered entity’s 
workforce; and whether public health 
management staff can share part 2 
information with case managers. 

A few commenters expressed 
opposition to the proposed definition of 
QSO, asserting that patient consent 
should be obtained before making a 
disclosure of substance use disorder 
information to multiple entities. 
Another commenter warned that under 
the definition, it would be difficult to 
track which part 2 patients may or may 
not be within a population health 
program at any given time. 


SAMHSA Response 


The NPRM as well as the current 
(1987) definition of QSO uses the term 
person. Person is defined in the current 
(1987) regulations as: ‘Person means an 
individual, partnership, corporation, 
federal, state or local government 
agency, or any other legal entity.’ The 
NPRM definition proposed a 
parenthetical: ‘‘(also referred to as 
individual or entity).’’ Because both the 
1987 regulations and the NPRM 
definition of person includes both 
individuals and entities, the definition 
of the term QSO has always included 
both individual and entities, the 
definition of the term QSO has always 
included individuals, as well as entities. 

Whether the QSO definition applies 
to members of an entity’s workforce and 
case managers depends on whether they 
meet the definition of QSO as defined 
in § 2.11 because such determinations 
are fact-specific. An individual or entity 
who does not meet the definition of a 
QSO may, however, meet the definition 
of ‘‘Treating provider relationship” for 
the purposes of obtaining consent. 
Likewise, care coordination was not 
added to the list of examples of 
permissible services offered by a QSO 
because care coordination has a patient 
treatment component. 

Under the part 2 governing statute, 
patient records pertaining to the 
patient’s substance use disorder may be 
shared only with the prior written 
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consent of the patient or as permitted 
under the part 2 statute, regulations, or 
guidance. However, the regulations may 
contain such definitions, and may 
provide for such safeguards and 
procedures, including procedures and 
criteria for the issuance and scope of 
orders, as in the judgment of the 
Secretary are necessary or proper to 
effectuate the purposes of this statute, to 
prevent circumvention or evasion 
thereof, or to facilitate compliance 
therewith. 

Regarding the concern about 
disclosing to multiple entities under a 
QSOA, as noted above, any QSOA 
executed between a part 2 program and 
an organization providing population 
health management services would be 
limited to the office(s) or unit(s)/ 
entity(ies) responsible for population 
health management for the organization 
(e.g., the ACO, CCO, CPCMH, or MCO), 
not the entire organization and not its 
participants (e.g., case managers, 
physicians, addiction counselors, 
hospitals, and clinics). 


Public Comments 


Commenters provided various 
suggestions to improve the definition. 
Several commenters said the definition 
should be expanded to permit a multi- 
party agreement for multi-directional 
sharing of information. Commenters 
said the description of the provision 
should address overlapping 
requirements of HIPAA and part 2 with 
respect to contractual agreements and 
services such as data processing and 
billing. A commenter said facilitating 
entities should be able to enter into QSO 
agreements with participating providers 
to perform quality improvement 
activities. Another commenter said the 
QSO exception to restrictions on 
disclosure should apply to third-party 
payers and other holders of part 2 
information, and the definition should 
include other functions to support 
improved care delivery. 


SAMHSA Response 


Part 2 and its implementing statute 
are much more restrictive than HIPAA. 
Because 42 CFR part 2 and its governing 
statute are separate and distinct from 
HIPAA, the part 2 regulations use 
different terminology than used in 
HIPAA. However, SAMHSA aligned 
policy with HIPAA where possible. 

Because a QSOA is a two-way 
agreement between a part 2 program and 
the entity providing the part 2 program 
and an individual or entity providing a 
service to a part 2 program, agreements 
between more than those two parties 
(e.g. multi-party agreements) are 
prohibited. A QSOA cannot be used to 


avoid obtaining patient consent in the 
treatment context. 

As stated previously in this preamble, 
SAMHSA is issuing an SNPRM to seek 
further comments and information on 
the disclosure to and use of part 2 
information by the contractors and 
subcontractors of third-party payers and 
other lawful holders for purposes of 
payment, health care operations, and 
other health care related activities 
before establishing any appropriate 
restrictions on disclosures to them. 


Public Comments 


Commenters generally expressed 
opposition to the change of ‘medical 
services” to ‘medical staffing services” 
in the definition. A commenter 
expressed opposition to the 
interpretation that the QSO agreement 
executed between a part 2 program and 
an organization that provided 
population health management services 
would be limited to a specific office(s) 
or unit(s) within the organization that 
is/are tasked with carrying out such 
services. 


SAMHSA Response 


SAMHSA has revised the term 
“medical services” as listed in the 
examples of permissible services offered 
by a QSO to clarify that it is limited to 
“medical staffing services.” SAMHSA 
proposed to make this revision to 
emphasize that QSOAs should not be 
used to avoid obtaining patient consent. 
Accordingly, a QSOA could be used by 
a part 2 program to contract with a 
provider of on-call coverage services 
(previously clarified in FAQ guidance) 
or other medical staffing services but 
could not be used to disclose John Doe’s 
patient identifying information to his 
primary care doctor for the purpose of 
treatment (other than that provided 
under a QSOA for medical staffing 
services). However, an individual or 
entity who is prohibited from providing 
treatment to an individual patient under 
a QSOA may still meet the requirements 
of having a treating provider 
relationship (as that term is defined in 
§ 2.11) with respect to the consent 
requirements in § 2.31. 

With respect to the comment 
regarding an organization providing 
population health management services, 
a QSOA is a two-way agreement 
between a part 2 program and the entity 
providing the service. We reiterate that 
disclosures by a QSO pursuant to a 
QSOA executed between a part 2 
program and an organization that 
provides population health management 
services would be limited to a specific 
office(s) or unit(s)/entity(ies) that is/are 
tasked with carrying out such services 


for the organization. SAMHSA believes 
this is a needed safeguard to limit 
disclosures to that which is reasonably 
necessary to carry out services under the 
QSOA. 


Public Comments 


Many commenters expressed 
opposition to the exclusion of “care 
coordination” from the QSO definition 
or requested clarification for the 
meaning of “care coordination.” Some 
commenters specifically requested 
adding care coordination to the list of 
services a QSO may provide, reasoning 
that it would facilitate integrated 
substance use disorder, health, and 
mental health services. The commenters 
asserted that the addition would benefit 
patients’ health, safety, and quality of 
life while maintaining confidentiality 
protections. 


SAMHSA Response 


In the NPRM, SAMHSA clarified that 
an individual or entity is prohibited 
from providing treatment to an 
individual patient under a QSOA. 
SAMHSA has revised the term “medical 
services” as listed in the examples of 
permissible services offered by a QSO to 
clarify that it is limited to ‘medical 
staffing services.’” SAMHSA proposed to 
make this revision to emphasize that 
QSOAs should not be used to avoid 
obtaining patient consent. Accordingly, 
a QSOA could be used by a part 2 
program to contract with a provider of 
on-call coverage services (previously 
clarified in FAQ guidance) or other 
medical staffing services, but could not 
be used to disclose John Doe’s patient 
identifying information to his primary 
care doctor for the purpose of treatment 
(other than that provided under a QSOA 
for medical staffing services). For this 
reason, care coordination and 
medication management, both of which 
have a treatment component, were not 
added to the list of examples of 
permissible services offered by a QSO. 
However, an individual or entity who is 
prohibited from providing treatment to 
an individual patient under a QSOA 
may still meet the requirements of 
having a treating provider relationship 
(as that term is defined in § 2.11) with 
respect to the consent requirements in 
§ 2.31. 

Regarding the request to clarify the 
meaning of ‘“‘care coordination” and 
how it differs from “population health 
management,’ because SAMHSA 
decided not to include care 
coordination in the examples of 
permissible services under the 
definition of a QSO, we did not define 
the term ‘‘care coordination” in the 
NPRM and, therefore, decline to do so 


6068 


Federal Register/Vol. 82, No. 11/Wednesday, January 18, 2017/Rules and Regulations 








in this final rule. Population health 
management refers to increasing desired 
health outcomes and conditions through 
monitoring and identifying patients 
within a group. 


j. Records 


SAMHSA has revised the proposed 
definition. As suggested by commenters, 
SAMHSA has modified the definition of 
“Records” by adding ‘‘created by’’ and 
a parenthetical with examples to read as 
follows: ‘“Records means any 
information, whether recorded or not, 
created by, received, or acquired by a 
part 2 program relating to a patient (e.g., 
diagnosis, treatment and referral for 
treatment information, billing 
information, emails, voice mails, and 
texts). For the purpose of these 
regulations, records include both paper 
and electronic records.””» SAMHSA 
revised the definition of “Records” to 
include any information, whether 
recorded or not, which includes verbal 
communications, created, received or 
acquired by a part 2 program relating to 
a patient. The revised definition makes 
clear that, for the purpose of the part 2 
regulations, records include both paper 
and electronic records. 


Public Comments 


A commenter remarked that the 
proposed definition of ‘‘records” does 
not address “identifiability,” asserting 
that information that is not individually 
identifiable, that is not reasonably 
capable of being re-identified, or that is 
aggregate may not need to be covered by 
the definition of record. Regarding the 
phrase ‘‘whether recorded or not”’ in the 
proposed definition, a couple of 
commenters requested guidance on 
what constitutes “unrecorded 
information.” 


SAMHSA Response 


SAMHSA clarifies that unrecorded 
information includes verbal 
communications and is still considered 
part of the record. To add further clarity 
to the definition, SAMHSA has revised 
the definition of ‘‘Records’’ from the 
proposed language by adding examples 
(e.g., diagnosis, treatment and referral 
for treatment information, billing 
information, emails, voice mails, and 
texts). SAMHSA also added the phrase 
“created by” to clarify that “records” 
includes information received, acquired, 
or created by a part 2 program relating 
to a patient. Regarding ‘‘identifiability,”’ 
identification is addressed in the term 
“Patient identifying information,” not in 
the definition of ‘‘Record.” The 
definition of records is just that and 
does not address information that may 
be disclosed. 


k. Treatment 


SAMHSA is adopting the proposed 
definition of “‘Treatment.’”” SAMHSA 
has deleted the term ‘“‘management”’ 
from the “Treatment” definition. 


Public Comments 


A few commenters opposed the 
proposed removal of the term 
“management” from the definition of 
“treatment’’ because the narrower 
definition would decrease information 
sharing and have a chilling effect on 
care coordination. A couple of 
commenters urged that “treatment” 
should be limited to care of the 
substance use disorder and not be 
extended to include care of other 
medical conditions secondary to or that 
arose because of the substance use 
disorder. One commenter suggested that 
“care” should be defined as it is used 
in the definition of ‘‘treatment.” 


SAMHSA Response 


SAMHSA removed the term 
“management” from the definition of 
“Treatment” because in today’s health 
care environment, “management” has a 
much broader meaning than it did when 
the regulations were last revised. 
Treatment is not limited to care of the 
substance use disorder because patients 
with a substance use disorder often have 
comorbid conditions. 


3. Terminology Changes 


SAMHSA is adopting the changes 
proposed in this section, as described in 
the NPRM. In addition to changes to 
several definitions, SAMHSA is also 
implementing several terminology 
changes intended to ensure consistency 
in the use of terms throughout the 
regulations and to increase the 
understandability of the rule. First, we 
made revisions to consistently refer to 
law enforcement as ‘“‘law enforcement 
agencies or officials.’’ Secondly, 
SAMHSA revised the part 2 regulations 
to use the term “‘entity” instead of 
“organization” wherever possible. 
Thirdly, SAMHSA clarifies that, for the 
purposes of this regulation, the term 
“written” includes both paper and 
electronic documentation. Fourthly, we 
use the phrase ‘‘part 2 program or other 
lawful holder of patient identifying 
information” to refer to a part 2 program 
or other individual or entity that is in 
lawful possession of patient identifying 
information. A “lawful holder’ of 
patient identifying information is an 
individual or entity who has received 
such information as the result of a part 
2-compliant patient consent (with a 
prohibition on re-disclosure notice) or 
as a result of one of the exceptions to 
the consent requirements in the statute 


or implementing regulations and, 
therefore, is bound by 42 CFR part 2. 


Public Comments 


One commenter requested 
clarification about what entities are 
considered ‘‘lawful holders” of patient 
identifying information in the context of 
complex health care systems. For 
example, would the parent company of 
a health care system, each specific 
hospital, or each entity affiliated with 
the health care system be considered a 
“lawful holder’? 

Another commenter urged that the 
term ‘‘other lawful holder” should be 
clearly defined in the final rule. 


SAMHSA Response 


A “lawful holder’’ of patient 
identifying information is an individual 
or entity who has received such 
information as the result of a part 2- 
compliant patient consent (with a 
prohibition on re-disclosure notice) or 
as permitted under the part 2 statute, 
regulations, or guidance and, therefore, 
is bound by 42 CFR part 2. SAMHSA 
cannot determine what entities are 
“lawful holders’’ because such 
determinations are fact-specific. In 
addition, SAMHSA determined that it 
was not feasible to define all lawful 
holders of information so has not 
included a definition in the rule. As 
explained in the NPRM, examples of 
“lawful holders” include a patient’s 
treating provider, a hospital emergency 
room, an insurance company, an 
individual or entity performing an audit 
or evaluation, or an individual or entity 
conducing scientific research. This list 
provided in the NPRM was intended 
only as an illustrative example of who 
could be a lawful holder. 


4. Other Comments on Definitions 
Public Comments 


Many commenters expressed general 
support for the proposed clarification of 
definitions. Some commenters sought 
new definitions for terms including HIE; 
recipient; population health 
management and care coordination; 
population health; re-disclosure; law 
enforcement agency or official; 
repository; and scientific research. 

Several commenters addressed the 
“alternative approach” discussed in the 
NPRM for allowing disclosure to 
treating providers by requesting the 
addition of a definition for 
“organization” to § 2.11. Commenters 
generally supported a clear definition of 
“organization” to allow for the exchange 
of part 2 information. One commenter, 
however, opposed relying upon a 
definition rather than specifying the 
process for consent in the rule itself. 
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SAMHSA Response 


SAMHSA did not propose definitions 
for the terms suggested and has decided 
not to pursue the ‘alternative approach’’ 
since that approach as written received 
no support and only 2 commenters 
supported the ‘‘alternative approach 
with suggested revisions.”’ Based on 
comments received, the agency has 
addressed disclosures to treating 
providers within this rule’s consent 
requirements. 


E. Applicability (§ 2.12) 


SAMHSA is adopting this section as 
proposed. In addition to the revisions to 
the definition of ‘Program’’ and the 
addition of a definition for “Part 2 
program’ mentioned above, SAMHSA 
has revised § ;2.12(d)(2)(i)(C) so that 
restrictions on disclosures also apply to 
individuals or entities who receive 
patient records from other lawful 
holders of patient identifying 
information (see § 2.11, Terminology 
Changes). Patient records subject to 
these regulations include patient 
records maintained by part 2 programs, 
as well as those records in the 
possession of ‘‘other lawful holders of 
patient identifying information.” 
SAMHSA may issue additional 
subregulatory guidance addressing the 
applicability section, as deemed 
necessary, after publication of the final 
rule. 


Public Comments 


A few commenters supported the 
proposed applicability provisions. Some 
commenters cited relevant preamble 
language but remained uncertain about 
who qualifies as a part 2 provider. 
Several commenters requested greater 
clarification in identifying part 2 
coverage, including whether the 
provisions apply to various models of 
integrated behavioral health and 
primary care; mixed-use facilities that 
provide primary care and behavioral 
health services or mental health and 
substance use treatment; certified 
community behavioral health centers 
that do not necessarily “primarily” 
furnish substance abuse services but 
rather provide a comprehensive 
approach to care; embedded behavioral 
health information within an acute care 
record; a medical facility providing 
several distinct books of business, of 
which only one receives federal 
assistance; pharmacies; dentists; Drug 
Addiction Treatment Act (DATA 2000)- 
waived physicians; employee assistance 
programs that may include substance 
use assessment and counseling; a 
provider who bills Medicaid and 
Medicare but is not otherwise a 


“federally assisted program;” and 
confidential information related to 
safety and incident reporting. A 
commenter requested clarification about 
the definition of ‘‘direct administrative 
control” in the proposed provision 
related to exceptions for 
communications within a part 2 
program. A commenter urged 
consideration for reporting by programs 
to a public health registry and suggested 
advantages of such a requirement. 


Some commenters requested 
applicability exemptions. Some 
commenters requested exclusions for 
employee assistance programs; 
Medicaid overutilization control 
programs; and plans with integrated 
care delivery models. Some commenters 
requested exemptions to consent for 
communications between a QSO and a 
part 2 program or third-party payer (e.g., 
Medicaid) and between a part 2 
program. One commenter requested 
clarification that consent and disclosure 
requirements would not apply when the 
patient directs electronic disclosure for 
a consumer health application. A 
commenter requested clarification that 
services are only covered under part 2 
if the personnel are identified as 
providing substance use disorder 
treatment outside the organization to the 
general public. Commenters favored an 
exception for reporting of child abuse 
and elder abuse. A few commenters 
mentioned certain concerns related to 
the proposed rule. A commenter argued 
that the proposed rule would do little to 
simplify requirements for providers, and 
this may result in providers not 
documenting substance use disorder- 
related information in medical records. 
Other commenters opposed the lack of 
protections in the proposal and warned 
that the rule would impose constraints 
and burdens on providing a patient’s 
behavioral health data and impede 
information sharing. A commenter 
stated that general health care 
organizations that hire an employee 
with substance use disorder expertise 
would be considered a covered entity, 
so they may be discouraged from 
integrating substance use disorder 
services into their operation. Similarly, 
hospital emergency departments may be 
discouraged from hiring staff with 
specialized experience in substance use 
disorders. One commenter expressed 
concern that the rule may extend 
protection not just to records for 
substance use disorder treatment, but 
also to medical conditions and 
medications that allow an inference that 
the patient has a substance use disorder. 
One commenter argued that any 
substance use record should be 


protected from unauthorized disclosure 
for criminal justice investigations. 
Expressing support for the continued 
protection of substance use disorder 
records from disclosure and use in 
criminal investigations except under 
certain conditions, a commenter said 
that while HIPAA and other laws also 
provide similar protections, part 2 has 
more stringent due process and court 
order provisions. 

One commenter argued that the 
proposed rule exceeds the underlying 
statutory requirements in 42 U.S.C. 
290dd-2 by expanding protections of 
substance use information and 
establishing penalties. Another 
commenter mentioned that the HITECH 
revisions to HIPAA already require 
general medical facilities to utilize 
enhanced security measures to protect 
the confidentiality and privacy of 
patient’s health records. 

A few commenters advocated that the 
safeguards applied to protected health 
information (as defined under HIPAA) 
for all other health conditions could 
apply for substance use disorder-related 
information. 

One commenter urged a focus on the 
actual information that requires 
protection, as opposed to the origin of 
the treatment records. Similarly, another 
commenter expressed disappointment 
that SAMHSA rejected the option to 
redefine the applicability of part 2 based 
on the type of substance use disorder 
treatment services, rather than the type 
of provider. 

Several commenters suggested 
exceptions to the applicability of part 2 
regulations. One commenter said 
SAMHSA should create a due diligence 
exception to allow a part 2 program’s 
records to be reviewed in the event of 
a proposed sale of the part 2 facility. 
Another commenter said SAMHSA 
should include an exception to allow 
disclosure of part 2 records in 
connection with the seeking of a grant 
or much needed funding for substance 
abuse patients. A commenter said 
SAMHSA should create a payment 
exception that would allow part 2 
programs to submit information to 
governmental or commercial payers 
without the patient’s prior 
authorization. 

Other commenters stated that 
exceptions should be added for the 
purpose of seeking involuntary 
commitment of an individual who poses 
a likelihood of serious harm to self or 
others by reason of a substance use 
disorder, in accordance with applicable 
provisions of state law and subject to 
appropriate terms regarding the 
continued confidentiality of such data. 
Another commenter stated that the rule 
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should specifically permit continued 
data collection of substance use disorder 
by state agencies. Another commenter 
stated that an exception limited 
disclosures to law enforcement and 
other appropriate parties in the event a 
committed patient escapes from a 
treatment facility, and to other part 2 
programs and appropriate state agencies 
as necessary for purposes of discharge 
planning or transferring a patient 
without consent. 


SAMHSA Response 


With respect to the comments 
recommending aligning with HIPAA, 
SAMHSA has attempted to do so in this 
final rule to the extent the change was 
permissible under 42 U.S.C. 290dd-2. At 
the same time, part 2 and its governing 
statute are separate and distinct from 
HIPAA and its implementing 
regulations. Because of its targeted 
population, part 2 provides more 
stringent federal protections than most 
other health privacy laws, including 
HIPAA. 

As stated in the preamble discussion 
of the applicability (§ 2.12) in the 
NPRM, SAMHSA considered options for 
defining what information is covered by 
part 2, including defining covered 
information based on the type of 
substance use disorder treatment 
services provided instead of the type of 
facility providing the services. 
SAMHSA however, rejected that 
approach because more substance use 
disorder treatment services are 
occurring in general health care and 
integrated care settings, which typically 
are not covered under the current (1987) 
regulations. Providers who in the past 
offered only general or specialized 
health care services (other than 
substance use disorder services) now, 
on occasion, provide substance use 
disorder treatment services, but only as 
incident to the provision of general 
health. 

The definitions of ‘‘Part 2 program”’ 
and “Program” are critical to 
applicability. These terms are defined in 
§ 2.11. The response to comments on the 
definition of program in this final rule 
further clarifies coverage. Holding a 
waiver to prescribe buprenorphine or 
holding a waiver and prescribing 
buprenorphine as part of primary care 
practice does not lead to categorical 
inclusion of providers in the definition 
of a part 2 program; such determinations 
are fact-specific. The same concept 
applies whenever determining 
applicability. 

With respect to comments on part 2 
coverage, although the statute may not 
be explicit with regard to certain 
provisions in 42 CFR part 2, the statute 


directs the Secretary to prescribe 
regulations to carry out the purpose of 
the statute, which may include 
definitions and may provide for such 
safeguards and procedures that in the 
judgment of the Secretary are necessary 
or proper to effectuate the purposes of 
this section, to prevent circumvention 
or evasion thereof, or to facilitate 
compliance therewith. For various 
models of integrated behavioral health, 
SAMHSA strives to facilitate 
information exchange within new 
health care models while addressing the 
legitimate privacy concerns of patients 
seeking treatment for a substance use 
disorder. These concerns include, but 
are not limited to, the potential for loss 
of employment, loss of housing, loss of 
child custody, discrimination by 
medical professionals and insurers, 
arrest, prosecution, and incarceration. 

The response to comments on the 
definition of program in this final rule 
further clarifies coverage. 

SBIRT is a cluster of activities 
designed to identify people who engage 
in risky substance use or who might 
meet the criteria for a formal substance 
use disorder. Clinical findings indicate 
that the overwhelming majority of 
individuals screened in a general 
medical setting do not have a substance 
use disorder and do not need substance 
use disorder treatment. A health care 
provider that does not otherwise meet 
the definition of a part 2 program would 
not become a part 2 program simply 
because they provide SBIRT within the 
context of general health care. 

For behavioral health facilities, 
SAMSHA notes that federally qualified 
health centers, community mental 
health centers, and behavioral health 
clinics meeting the definition of a part 
2 program must comply with 42 CFR 
part 2 and those that do not meet the 
definition of part 2 program do not have 
to comply with 42 CFR part 2 unless 
they become a lawful holder of patient 
identifying information because they 
received patient identifying information 
via consent (along with a notice of 
prohibition on re-disclosure) or as 
permitted under the part 2 statute, 
regulations, or guidance. Rather than 
offer definitions or outline an 
exhaustive list of entities that could 
meet the definition of a part 2 program, 
we prefer to offer illustrative examples 
in the explanation of applicability 
provision of these regulations (see 
§ 2.12(e)(1)). SAMHSA has not received 
questions in the past concerning the 
definition of general medical facility. 

Regarding the question of part 2 
applicability when a patient directs 
electronic disclosure for a consumer 
health application, the NPRM preamble 


discussion of lawful holder in the 
Terminology Changes section stated: “A 
patient who has obtained a copy of their 
records or a family member who has 
received such information from a 
patient would not be considered a 
‘lawful holder’ of patient identifying 
information in this context.”’ 
Information disclosed by a part 2 
program or a lawful holder of patient 
identifying information is covered by 42 
CFR part 2 and requires patient consent 
unless disclosure is otherwise permitted 
under the part 2 statute or regulations. 
Therefore, it is permissible for a patient 
to disclose information to a personal 
health record or similar consumer 
health application but if a part 2 
program or lawful holder of patient 
identifying information discloses that 
information to the personal health 
record or other similar consumer 
application on behalf of the patient, 
consent would be required. 

Regarding patient records and 
Medicaid overutilization control 
programs, the prohibition on re- 
disclosure (§ 2.32) applies to 
information that would identify, 
directly or indirectly, an individual as 
having been diagnosed, treated, or 
referred for treatment for a substance 
use disorder, such as indicated through 
standard medical codes, descriptive 
language, or both, and allows other 
health-related information shared by the 
part 2 program to be re-disclosed, if not 
prohibited by any other applicable laws. 
Under the current statutory authority, 
patient records pertaining to substance 
use disorder may be shared only with 
the prior written consent of the patient 
or as permitted under the part 2 statute 
and implementing regulations. In 
addition, the authorizing statute 
specifically enumerates the areas of 
non-applicability, which includes the 
reporting under state law of incidents of 
suspected child abuse and neglect to 
appropriate state and local authorities. 
Therefore, SAMHSA did not adopt this 
requested change. Regarding elder 
abuse, if a program determines it is 
important to report elder abuse, 
disabled person abuse, or a threat to 
someone’s health or safety, or if the laws 
in a program’s state require such 
reporting, the program must make the 
report anonymously, or in a way that 
does not disclose that the person 
making the threat is a patient in the 
program or has a substance use disorder, 
or obtain a court order if time allows. 

Some commenters asked about the 
applicability of the part 2 regulations to 
various facilities or entities, such as 
rehabilitation facilities, dentists, and 
pharmacies. In summary, if a provider is 
not a general medical facility or does 
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not hold itself out as providing, and 
provides, substance use disorder 
diagnosis, treatment or referral for 
treatment, it would not meet the first 
section of the definition of ‘‘Program.”’ 
If the provider is either not an identified 
unit within a general medical facility 
that holds itself out as providing, or 
does not provide, substance use 
disorder diagnosis, treatment, or referral 
for treatment, it does not meet the 
second section of the definition of 
“Program.” If the provider either does 
not consist of medical personnel or 
other staff in a general medical facility 
whose primary function is the provision 
of substance use disorder diagnosis, 
treatment, or referral for treatment or is 
not identified as such specialized 
medical personnel or other staff by the 
general medical facility, it does not meet 
the third section of the definition of 
“Program.’’ Whether embedded 
behavioral health information is covered 
by 42 CFR part 2 depends on several 
factors: First, only patient identifying 
information is subject to part 2 
protections. If the acute care facility 
meets the definition of a part 2 program 
and the information would identify, 
directly or indirectly an individual as 
having been diagnosed, treated, or 
referred for treatment for a substance 
use disorder, the information is subject 
to part 2 protections; and if the acute 
care facility received the patient 
identifying information via a valid part 
2 consent (with a notice of prohibition 
on re-disclosure) or as otherwise 
permitted under the part 2 statute or 
regulations, the information is subject to 
part 2 protections. 

With respect to pharmacies, when 
they receive prescriptions directly from 
part 2 programs, the patient identifying 
information related to those 
prescriptions is subject to 42 CFR part 
2 confidentiality restrictions (as 
indicated by the accompanying 
prohibition on re-disclosure notice). 
Pharmacies that receive paper 
prescriptions directly from patients (and 
do not receive a prohibition on re- 
disclosure notice) are, therefore, not 
subject to the part 2confidentiality 
restrictions. However, if the pharmacy 
or pharmacist meets the definition of a 
part 2 program, they must comply with 
the part 2 regulations. 

In response to the commenter’s 
request for clarification that services are 
only covered under part 2 if the 
personnel are identified as providing 
substance use disorder treatment 
outside the organization to the general 
public, the third section of the 
definition of program uses the term 
“personnel” to state that medical 
personnel or other staff in a general 


medical facility whose primary function 
is the provision of substance use 
disorder diagnosis, treatment or referral 
for treatment and who are identified as 
such providers. This section of the 
definition of program does not include 
the phrase ‘“‘holds itself out” as do the 
first two sections of the definition of 
program. In the third section of the 
definition, the medical personnel or 
other staff must be identified as such 
specialized medical personnel or other 
staff by the general medical facility. 

Although commenters requested an 
exclusion for employee assistance 
programs, the regulation text at 
§ 2,12(d)(1) states: “Coverage includes, 
but is not limited to, those treatment or 
rehabilitation programs, employee 
assistance programs, programs within 
general hospitals, school-based 
programs, and private practitioners who 
hold themselves out as providing, and 
provide substance use disorder 
diagnosis, treatment, or referral for 
treatment. 

Commenters requested an exemption 
for communications between a part 2 
program and another entity under 
common ownership or control, but 
SAMHSA declines to make the 
requested change. However, as stated in 
the regulatory text (§ 2.12(c)(3) 
restrictions on disclosure in these 
regulations do not apply to 
communications of information between 
or among personnel having a need for 
the information in connection with their 
duties that arise out of the provision of 
diagnosis, treatment, or referral for 
treatment of patients with substance use 
disorders if the communications are: 

(i) Within a part 2 program; or 

(ii) Between a part 2 program and an 
entity that has direct administrative 
control over the program.” 

SAMHSA declines to add the various 
suggested exceptions to the applicability 
of the part 2 regulations, and encourages 
all stakeholders to consult with legal 
counsel to ensure compliance with 42 
CFR part 2, as well as any other 
applicable federal, state, or local laws or 
regulations. SAMHSA is limited by 
statute to the specific exceptions listed 
in the law; it cannot, therefore, add 
exceptions. As stated previously, 
SAMHSA is authorized to promulgate 
regulations and to provide such 
safeguards and procedures necessary to 
carry out the purposes of the 
authorizing statute. SAMHSA has 
endeavored to strike an appropriate 
balance between the important privacy 
protections afforded patients with 
substance use disorders and the 
necessary exchange of information to 
improve treatment outcomes for these 
individuals. 


F. Confidentiality Restrictions and 
Safeguards (§ 2.13) 


SAMHSA is modifying this section 
slightly from that proposed in the 
NPRM by adding a paragraph clarifying 
responsibility for the List of Disclosures 
requirement. As discussed in the 
proposal, because SAMHSA is revising 
the consent requirements to allow a 
general designation in certain 
circumstances, we have revised § 2.13 
by adding a paragraph (d), which 
requires that, upon request, patients 
who have included a general 
designation in the ‘““To Whom” section 
of their consent form must be provided, 
by the entity that serves as an 
intermediary, a list of entities to which 
their information has been disclosed 
pursuant to the general designation (List 
of Disclosures). 

The new § 2.13(d) specifies that 
patient requests for a list of entities to 
which their information has been 
disclosed must be in writing. Consistent 
with the NPRM, we consider ‘“‘written’”’ 
to include both paper and electronic 
documentation. The list is limited to 
disclosures made within the past 2 
years. 

Further, entities named on the 
consent form that disclose information 
pursuant to a patient’s general 
designation (entities that serve as 
intermediaries as described in 
§ 2.31(a)(4)(iii)(B)) must respond to 
requests for a List of Disclosures in 30 
or fewer days of receipt of the request. 


1. Delayed Implementation of List of 
Disclosures Provision 


Public Comments 


Several commenters raised concerns 
about how to interpret the two-year 
delayed implementation of List of 
Disclosures and whether the general 
designation will be used during that 
period. A commenter expressed concern 
about the immediate implementation of 
the general designation while the right 
of patients to obtain a List of Disclosures 
is postponed for two years. 

Other commenters stated that, based 
on the NPRM language, HIEs will not be 
able to take advantage of a general 
designation on the consent form until 
they have the ability to comply with the 
List of Disclosures requirement. 

Commenters said SAMHSA needs to 
clarify that the duty to begin collecting 
and storing disclosures under the 
general designation begins two years 
after the effective date of the final rule 
and not before. 

A commenter recommended that the 
right to obtain a list of those who have 
received the patient’s information 
should be implemented simultaneously 
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with any other revisions to the part 2 
regulation. Another commenter said 
SAMSHA should implement the List of 
Disclosures requirement within 90 days. 


SAMHSA Response 


SAMHSA clarifies that the general 
designation on a consent form may not 
be used until entities have the ability to 
comply with the List of Disclosures 
provision. However, SAMHSA has 
removed the two-year delayed 
compliance date for the List of 
Disclosures provision for the reasons 
discussed in Section IV above. 


2. Responsibilities Under the List of 
Disclosures Process 


Public Comments 


Commenters said SAMHSA should 
allow non-treating entities, that do not 
have a treating provider relationship 
with the patient whose information is 
being disclosed and serve as 
intermediaries named on the consent 
form, to release the List of Disclosures 
to the facility where the patient receives 
care (or the part 2 program), rather than 
to the patient directly. One commenter 
said because this process, in which the 
patient/consumer requests and receives 
the List of Disclosures from the site 
where they receive care/part 2 program, 
rather than from the HIE, resembles the 
process currently being used to meet 
HIPAA disclosure requirements, it 
could be implemented without 
requiring additional burdens on HIEs. 
Since most HIEs are not patient-facing, 
commenters stated that there are 
typically not policies or procedures in 
place for interacting with patients 
directly, particularly for patient 
authentication, and suggested it be done 
at the provider level, and that the 
patient communication be maintained at 
the part 2 program level. 

Other commenters said SAMHSA 
does not specify what responsibility, if 
any, the part 2 program has to 
coordinate or verify the compliance of 
the CCO or HIE with the List of 
disclosures. One commenter said if 
SAMHSA intends for the part 2 program 
to have any responsibilities beyond this, 
then it should obtain additional 
feedback from part 2 programs before 
proposing any new obligations. Some 
commenters appeared to assume the 
part 2 program was responsible for the 
List of Disclosures and requested that 
SAMHSA modify the requirement to 
impose the duty directly upon the HIE, 
ACO, CCO, or research institution to 
provide the listing to the patient, rather 
than the part 2 program. 

A commenter said SAMSHA should 
clarify what entities must be included 


on the List of Disclosures when the 
entity is part of a complex healthcare 
system. 

Another commenter said the absence 
of requiring disclosure of individual 
names undermines the intent of the List 
of Disclosures and undermines the 
purpose of expanding the ‘“To Whom”’ 
provision and the patient’s incentive or 
willingness to consent to a general 
designation. The commenter said the 
provision must be very explicit in 
disclosing those agencies or individuals 
that will receive the patients’ medical 
information. 


SAMHSA Response 


Regarding the suggestion to allow 
entities that serve as intermediaries as 
described by § 2.31(a)(4)(iii)(B) to 
release the List of Disclosures to the 
facility where the patient receives care 
(or the part 2 program) or with the 
providers to whom the disclosure was 
made, rather than directly to the patient, 
SAMHSA has decided to retain the 
NPRM language and proposed 
responsibilities because the party 
making the disclosure under the general 
designation should be accountable for 
that disclosure. SAMHSA has clarified 
in paragraph § 2.31(d)(3) that the part 2 
program is not responsible for 
complying with the List of Disclosures 
requirement; the entity that serves as an 
intermediary, as described in 
§ 2.31(a)(4)(iii)(B), is responsible for 
compliance with the List of Disclosures 
requirement. 

SAMHSA plans to issue subregulatory 
guidance that clarifies how the patient 
may request the List of Disclosures from 
intermediaries as described by 
§ 2.31(a)(4)(iii)(B). 

On the responsibility of part 2 
providers to comply with the List of 
Disclosures requirement, SAMHSA 
agrees with the commenters that more 
clarity is needed. In the circumstance in 
which a patient provides a general 
designation in the ‘““To Whom” part of 
a consent form, the part 2 program may 
not know to whom the disclosures have 
been made by the entity that serves as 
an intermediary. As such, the List of 
Disclosures provision requires that: The 
entity named on the consent form that 
discloses information pursuant to a 
patient’s general designation (the entity 
that serves as an intermediary, as 
described in § 2.31(a)(4)(iii)(B)) must: (i) 
Respond in 30 or fewer days of receipt 
of the written request; and (ii) Provide, 
for each disclosure, the name(s) of the 
entity(ies) to which the disclosure was 
made, the date of the disclosure, and a 
brief description of the patient 
identifying information disclosed. 
Further, paragraph (d)(3) clarifies that 


the part 2 program is not responsible for 
complying with § 2.13(d). 

In response to the request for 
clarification on what entities must be 
listed on the List of Disclosures and 
suggestion that individuals (rather than 
entities with whom such individuals are 
affiliated) must be listed, SAMHSA 
clarifies that the List of Disclosures 
must include a list of the entities to 
which the information was disclosed 
pursuant to a general designation. 
Individuals who received patient 
identifying information pursuant to the 
general designation on a consent form 
should be included on the List of 
Disclosures based on an entity 
affiliation, such as the name of their 
practice or place of employment. 
However, if entities that are required to 
comply with the List of Disclosures 
requirement wish to include individuals 
on the List of Disclosures, in addition to 
the required data elements which are 
outlined in § 2.13(d)(2)(ii), nothing in 
this rule prohibits it. 

SAMHSA considered requiring both 
individuals and entities to be included 
on the List of disclosures but, after 
reviewing the Health Information 
Technology Privacy Committee’s 
(HITPC’s) recommendations (https:// 
www.healthit.gov/sites/faca/files/PSTT __ 
Transmittal010914.pdf), decided to 
require, at a minimum, a list of entities. 
These recommendations addressed the 
HITECH requirement that HIPAA 
covered entities and business associates 
account for disclosures for treatment, 
payment, and health care operations 
made through an EHR. The Transmittal 
Letter recommended, “that the content 
of the disclosure report be required to 
include only an entity name rather than 
a specific individual as proposed in the 
NPRM.” In addition, the Transmittal 
Letter noted that the Organization for 
Economic Cooperation and 
Development (OECD) principles, the 
Fair Credit Reporting Act, and the 
Privacy Act of 1974 do not require that 
the names of individuals be provided. 
The HITPC, a committee established by 
the American Recovery and 
Reinvestment Act of 2009 in accordance 
with the Federal Advisory Committee 
Act (FACA), provides recommendations 
on health IT policy issues to the ONC 
for consideration. The HITPC gave a 
broad charge to its Privacy & Security 
Tiger Team (Tiger Team) “to provide 
recommendations on how to implement 
the requirements of the HITECH Act of 
2009 for covered entities and business 
associates to account for disclosures for 
treatment, payment and health care 
operations made through an EHR. In the 
referenced Transmittal Letter, the 
HITPC did not focus on 42 CFR part 2, 
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however, given the similarities of the 
issues and the importance of the lessons 
the Tiger Team learned, SAMHSA was 
persuaded by the Tiger Team’s 
discussion. 


3. Technological Challenges and Burden 
of the List of Disclosures Provision 
Public Comments 


Public Comments 


Many commenters argued that entities 
may not be equipped to maintain and 
provide a List of Disclosures. A few 
commenters expressed general concern 
about the burden associated with the 
List of Disclosures provision. Several 
commenters added that the burden is 
disproportionate to the anticipated 
benefit. Other commenters specified 
areas of burden, including 
administering consents; developing a 
tracking system; manually reviewing or 
auditing all records; and transmitting 
information by U.S. mail. Some 
comments mentioned the operational 
impact of the provision, including the 
impact on existing business practices; 
uncertainty about interoperability with 
additional systems; and operationalizing 
a different approach for HIPAA. One 
commenter argued that HIPAA already 
provides sufficient protections through 
the requirement for tracking and 
providing an accounting of certain 
disclosures. Another commenter 
expressed concern that there are varying 
levels of technical resources available 
for compliance with the rule. 

A commenter warned that one 
component of the Affordable Care Act is 
its focus on sharing of certain medical 
information and the proposed regulation 
may prevent realization of that goal. 
Similarly, another commenter said, if 
HIEs are included in the disclosure 
request, entities would be left with the 
choice of either not sending this 
information, which would then not be 
available in emergent situations, or not 
complying with this requirement. 
Another commenter said creating 
additional accounting requirements, 
without further clarification on the 
interoperability of such EHR systems, 
can create a state of continuous 
uncertainty and flux, deterring 
investment into substance use disorder 
treatment programs within integrated 
care networks. 

Some commenters stated that the 
proposed provision conflicts with 
existing HIPAA accounting of disclosure 
requirements or state laws. Other 
commenters said it would be 
administratively burdensome to 
implement, particularly in light of the 
fact that the health information 
technology industry is still waiting for 


OCR to determine how it will address 
the HITECH changes to HIPAA 
accounting of disclosures. 

For the above reasons, some 
commenters urged SAMHSA not to 
include the List of Disclosures provision 
in the final rule; delay promulgating 
until OCR decides how it will approach 
the HITECH provisions concerning the 
HIPAA accounting of disclosures 
requirement; and engage with OCR, 
providers, and vendors to fully 
understand the implications of such a 
requirement before establishing an 
implementation date for the List of 
Disclosures requirement. 


SAMHSA Response 


SAMHSA is including the List of 
Disclosures requirement in the final rule 
to balance the flexibility of allowing a 
general designation in the ““To Whom” 
section of the consent form against the 
protection of patient privacy. We 
understand commenter concerns about 
the technical feasibility of implementing 
the List of Disclosures requirement. 
However, there is no timeframe in 
which part 2 programs and lawful 
holders need to comply with the List of 
Disclosures requirements; only the 
condition that if they choose to have the 
option to disclose information pursuant 
to a general designation on the ‘“‘To 
Whom” part of the consent form, they 
must also be capable of providing a List 
of Disclosures upon request per 
§ 2.13(d). Because the general 
designation is not mandated on a 
consent form, this allows entities time 
to develop and test the technology 
needed for compliance with the List of 
Disclosures requirements or to decide 
not to disclose information pursuant to 
a general designation and not 
implement technology needed for 
compliance with the List of Disclosures 
provision. 


Public Comments 


A commenter said the List of 
Disclosures will impose a complex 
burden upon all parties involved in the 
disclosure and receipt of substance use 
disorder treatment, asserting that the 
disclosing party—if it is not a part 2 
program—would need to know that the 
information being disclosed is subject to 
the part 2 requirements. The commenter 
said there may be a question of whether 
this type of disclosure would be 
prohibited per the Prohibition on re- 
disclosure provision, and this becomes 
more complex if further disclosures or 
re-disclosures take place. 


SAMHSA Response 


SAMHSA responds that the entity 
that serves as an intermediary should be 


provided a copy of the part 2-compliant 
consent form or the pertinent 
information on the consent form 
necessary for the intermediary to 
comply with the signed consent. The 
providers with a treating provider 
relationship with the patient whose 
information is being disclosed would be 
aware of the part 2 protections because 
the disclosure would also be 
accompanied by the prohibition on re- 
disclosure notice. 


Public Comments 


A commenter said SAMHSA has not 
addressed whether there will be a cost 
to the patient for obtaining a List of 
Disclosures. If patients will be required 
to pay a fee for this list of disclosures, 
the commenter said SAMHSA should 
establish a reasonable fee for the 
provision of the List of Disclosures. 


SAMHSA Response 


SAMHSA strongly encourages entities 
to provide the List of Disclosures at no 
charge to the patient. 


4. Recommendations To Further Protect 
Patient Privacy 


Public Comments 


A commenter said SAMHSA should 
require the List of Disclosures to include 
all disclosures of the patient’s health 
information, whether such disclosure 
was made pursuant to a consent form, 
QSOA, medical emergency, or any other 
means. Similarly, another commenter 
stated that, when a record of all uses 
and disclosures already exists, a 
program should be required to make 
that record available to a patient upon 
request. Other commenters asserted that 
the List of Disclosures should be 
presented to the patient at the time the 
consent is signed, rather than after the 
disclosures have been made. A 
commenter said patients should also be 
given the option, at the time of signing, 
to cross out entities to whom they do 
not want their information disclosed. 
Also, a commenter said patients should 
be informed of changes to the list that 
may now have access to their 
information. 

Some commenters expressed concern 
that the List of Disclosures would be 
limited to disclosures made within the 
past two years, which does not allow 
the patient to learn about past data 
breaches. Some commenters 
recommended expanding the time 
period to five years or not including a 
time limit. 


SAMHSA Response 


In response to these concerns and 
recommendations about increasing 
patient privacy rights, SAMHSA 
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clarifies that the List of Disclosures 
provision was proposed in the NPRM as 
a way to balance the revision to the 
consent form allowing a more general 
designation in the ‘““To Whom”’ section, 
which is optional. The List of 
Disclosures provision is limited to 
information disclosed pursuant to the 
general designation by the entity that 
serves as the intermediary, but these 
entities as well as part 2 programs are 
not prohibited from providing patients 
with all available information. Patients 
will have the right to request this List 
of Disclosures and have it produced in 
a timely fashion; however, SAMHSA 
has chosen not to require entities to 
provide this information at the time of 
patient consent as this would be 
impossible because disclosure of the 
patient’s information has not occurred 
at that point. SAMHSA also emphasizes 
that patients are not required to use a 
general designation in the “To Whom” 
section of the consent form. Therefore, 
patients can limit disclosures by a more 
concrete specification (i.e., named 
individual(s)). 


In response the comments on 
expanding the time period that the List 
of Disclosures covers, this final rule’s 
provision to limit the List of Disclosures 
to those made within the last two years 
does not preclude an entity that serves 
as an intermediary from providing the 
patient with a list covering disclosures 
made for periods greater than two years. 


Public Comments 


A commenter said SAMHSA should 
not include the sample language for a 
request for a List of Disclosures under 
the general designation in the final rule 
because HIPAA has shown that entities 
construe such sample language as 
mandates to use the sample language, 
thereby making it more difficult for an 
individual to request such information, 
and hindering their ability to obtain 
such information contrary to the intent 
of the proposed rule. The commenter 
suggested that SAMHSA, as part of this 
rule or in subregulatory guidance at a 
later date, recommend that certain 
criteria be included as part of an 
individual’s request for such 
disclosures. 


SAMHSA Response 


SAMHSA did not intend for the 
sample language for a request for a list 
of disclosures provided in the NPRM to 
be construed as a requirement for 
requesting a List of Disclosures, but 
rather to assist patients in making such 
a request. SAMHSA is retaining the 
sample language in this rule. 


Public Comments 


A commenter asserted that states can 
set a higher standard than part 2, but the 
NPRM language would lead the patient 
to think that they could get information 
via unencrypted email. The commenter 
suggested the provision be modified to 
indicate that responses sent to the 
patient electronically may be sent by 
unencrypted email at the request of the 
patient ‘‘so long as it is not prohibited 
by applicable law.” In addition, the 
commenter said the final rule should 
require patients to be notified that there 
may be some level of risk that the 
information in an unencrypted email 
could be read by a third party. In 
addition, the commenter said the rule 
should state that, if patients are notified 
of the risks and still prefer unencrypted 
email, the patient has the right to 
receive the information in that way, and 
entities are not responsible for 
unauthorized access of the information 
while in transmission to the patient 
based on the patient’s request. 


SAMHSA Response 


The language regarding unencrypted 
email transmissions appears in the 
NPRM preamble only and acknowledges 
both encrypted and unencrypted email 
as acceptable modes of transmission. 
The language goes on to say: ‘Responses 
sent to the patient electronically may be 
sent by encrypted transmission (e.g., 
encrypted email or portal), or by 
unencrypted email at the request of the 
patient, so long as the patient has been 
informed of the potential risks 
associated with unsecured transmission. 
Patients should be notified that there 
may be some level of risk that the 
information in an unencrypted email 
could be read by a third party. If 
patients are notified of the risks and still 
prefer unencrypted email, the patient 
has the right to receive the information 
in that way, and entities are not 
responsible for unauthorized access of 
the information while in transmission to 
the patient based on the patient’s 
request. Before using an unsecured 
method to respond to a request for a list 
of disclosures, an entity should take 
certain precautions, such as checking an 
email address for accuracy before 
sending it or sending an email alert to 
the patient for address confirmation to 
avoid unintended disclosures.” 
SAMHSA does not intend to be 
prescriptive regarding how the 
information is relayed to the patient or 
to preempt applicable state law that may 
prohibit unencrypted transmission (see 
§ 2.20). 


Public Comments 


A commenter said the NPRM 
abandoned the current statement that 
the rule does not restrict a disclosure 
that ‘‘an identified individual is not and 
has never been a patient.” The 
commenters said the new approach 
militates against fishing by third parties. 


SAMHSA Response 


SAMHSA agrees with the commenter 
that prohibiting a disclosure that ‘‘an 
identified individual is not and has 
never been a patient” mitigates against 
fishing by third parties. In the NPRM, 
SAMHSA proposed to remove the 
concept from § 2.13(c)(2) that the 
regulations do not restrict a disclosure 
that an identified individual is not and 
never has been a patient and has 
retained this position in the final rule. 


Public Comments 


Commenters made other 
recommendations relating to the 
proposed List of Disclosures 
requirement focused on generally 
improving patients’ rights, including 
suggestions to keep information 
confidential; notify when a treating 
provider has accessed the patient’s 
confidential information; ensure 
patient-approved information sharing; 
provide a process by which an 
individual can raise a complaint; and 
disclose to patients in plain language. 


SAMHSA Response 


SAMHSA acknowledges and shares 
the commenters’ concerns with patient 
privacy. We believe that the List of 
Disclosures requirement as proposed in 
the NPRM is adequate to inform patients 
of how their information has been 
shared in the event that they provided 
a general designation in the ‘““To Whom” 
portion of their consent. SAMHSA 
encourages entities to provide the 
information associated with a List of 
Disclosures in plain language and with 
sufficient specificity so that patients 
understand the List of Disclosures, 
including the brief description of the 
patient identifying information 
disclosed. 


5. Other Comments and 
Recommendations on the List of 
Disclosures Provision 


Public Comments 


One commenter recommended that 
SAMHSA allow consent to include a 
description of HIE as a function to 
support patient care, and exclude this 
function from the information 
disclosure accounting [List of 
Disclosure] requirement. 
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A commenter recommended that 
SAMHSA offer additional guidance on 
best practices and make infrastructure 
grants available to create the necessary 
modifications within providers’ EHRs or 
other consent tracking systems. 

Some commenters made other 
suggestions. For example, a commenter 
requested that SAMHSA define “‘in 
writing” and ‘‘written requests’ as those 
terms are used in the List of Disclosures 
provision (§ 3.13(d)). Another 
commenter urged SAMHSA to explore 
options to reduce the cost of the List of 
Disclosures provision and further clarify 
how the enhanced protection of 
substance use disorder treatment 
information can be consistent and 
interoperable with other health systems. 


SAMHSA Response 


As for the request to define ‘in 
writing” and “written requests’ as those 
terms are used in the List of Disclosures 
provision, in the NPRM preamble 
discussion of Terminology Changes, 
SAMHSA explained that for the 
purposes of this regulation, we also 
propose that the term “written” include 
both paper and electronic 
documentation. 

The consent requirements (§ 2.31) 
include the option of including in the 
“To Whom” section of the consent form 
the name of an entity that does not have 
a treating provider relationship with the 
patient whose information is being 
disclosed (and is not a third-party payer 
that requires patient identifying 
information for the purposes of 
reimbursement for the services rendered 
by the part 2 program) and either the 
name(s) of an individual participant(s); 
or the name(s) of an entity participant(s) 
that has a treating provider relationship 
with the patient whose information is 
being disclosed; or a general designation 
of an individual or entity participant(s) 
or class of participant(s) who has a 
treating provider relationship with the 
patient whose information is being 
disclosed. Any HIE that serves as an 
intermediary is subject to the List of 
Disclosures requirement regardless of its 
other “‘functions.’”’ Regarding the 
requests for guidance, SAMHSA may 
issue additional subregulatory guidance 
on this provision after this final rule is 
published. 


G. Security for Records (§ 2.16) 


SAMHSA is adopting this section as 
proposed except for some non- 
substantive, technical changes to the 
language in proposed § 2.16(a)(2)(i). 
SAMHSA is modernizing this section to 
address both paper and electronic 
records. First, SAMHSA revised the 
heading by deleting the word ‘‘written’’ 


so that it now reads: Security for 
Records. Secondly, SAMHSA clarified 
that this section requires both part 2 
programs and other lawful holders of 
patient identifying information to have 
in place formal policies and procedures 
for the security of both paper and 
electronic records. Finally, SAMHSA 
has replaced language in other sections 
of part 2 with a reference to the policies 
and procedures established under 

§ 2.16, where applicable. As noted 
above, SAMHSA has made some 
technical changes to the language in 
proposed § 2.16(a)(2)(i). In particular, to 
more closely align with the HIPAA 
Security Rule, SAMHSA has revised 

§ 2.16(a)(2)(i) to require that part 2 
program security for electronic records 
policies must include “creating, 
receiving, maintaining, and transmitting 
such records.” The proposed language 
was “‘copying, downloading, 
forwarding, transferring, and removing 
such records.” 


Public Comments 


Some commenters supported the 
proposed provisions on security and 
stated that they provide appropriate 
protections. However, many 
commenters asserted that the security 
provisions of HIPAA should be followed 
and that those requirements should 
satisfy the part 2 provisions. 

A commenter also supported the use 
of internal confidentiality agreements. 

A commenter expressed concern that 
the rule does not address what a non- 
part 2 provider who receives part 2 data 
must do to ensure adequate safeguards 
are in place. Similarly, another 
commenter expressed concern about 
security obligations that would be 
placed on other lawful holders, such as 
courts, law firms, family members, or 
other private citizens who are often not 
the types of providers subject to the 
current (1987) part 2. 

One commenter recommended an 
expiration date for electronic records. 
Another commenter recommended that 
the use of secure, certified HIT be added 
as a requirement for part 2 program 
providers, as well as any services 
provided that conduct audits and 
evaluations related to transition of 
patient information. 


SAMHSA Response 


SAMHSA appreciates the support of 
commenters on this issue. On the issue 
of HIPAA, covered entities must comply 
with all regulations that are applicable 
to them. Because some entities subject 
to this rule are not subject to HIPAA, 
SAMHSA may provide subregulatory 
guidance after the rulemaking on the 
extent to which compliance with 


HIPAA security requirements, for those 
subject to them, will satisfy § 2.16. 
SAMHSA emphasizes that if an entity 
already has security practices and 
policies in place that meet the 
requirements of this rule, whether those 
practices were developed to meet the 
regulatory requirements or simply as a 
matter of good practice, the entity may 
not need to take additional action on 
this issue. In the NPRM, SAMHSA 
suggested resources for part 2 programs 
and other lawful holders for developing 
formal policies and procedures 
including materials from the HHS Office 
for Civil Rights (e.g., Guidance 
Regarding Methods for De-identification 
of Protected Health Information in 
Accordance with the Health Insurance 
Portability and Accountability Act 
(HIPAA) Privacy Rule), and the National 
Institute of Standards and Technology 
(NIST) (e.g., the most current version of 
the Special Publication 800-88, 
Guidelines for Media Sanitization). 

On the issue of use of internal 
confidentiality agreements and the 
required use of secure, certified Health 
IT, § 2.16 provides requirements for 
formal policies and procedures to 
reasonably protect against unauthorized 
uses and disclosure of patient 
identifying information and to protect 
against reasonably anticipated threats or 
hazards to the security of patient 
identifying information. A part 2 
program or other lawful holder of 
patient identifying information may 
impose any additional requirements that 
they feel will enhance protections. 

With regard to security of the records 
lawfully obtained by non-part 2 
programs, § 2.16 applies equally to these 
entities (referred to as lawful holders of 
patient identifying information). The 
required formal policies and procedures 
are intended to ensure protection of 
patient identifying information when 
electronic records are exchanged 
electronically using health IT, as well as 
when they are exchanged using paper 
records. In addition, the formal policies 
and procedures will have to address, 
among other things, the sanitization of 
hard copy and electronic media, which 
is addressed in the NPRM discussion of 
Disposition of Records by Discontinued 
Programs (§ 2.19). On the concern 
raised that § 2.16 places an 
unreasonable burden on courts, law 
firms, family members, or other private 
citizens who may obtain the 
information, a patient who has obtained 
a copy of his or her records or a family 
member or private citizen who has 
received such information from a 
patient would not be considered a 
lawful holder of patient identifying 
information in this context. Generally, 
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consents and permissible disclosures 
are initiated by a lawful holder who 
desires the information and, therefore, 
the lawful holder would already be 
familiar with part 2. 


H. Disposition of Records by 
Discontinued Programs (§ 2.19) 


SAMHSA is modifying this section 
from that proposed in the NPRM in 
response to public comments, as 
discussed below. In this section, 
SAMHSA addresses the disposition of 
both paper and electronic records by 
discontinued programs, including 
added requirements for sanitizing paper 
and electronic media, which is 
distinctly different from deleting 
electronic records and may involve 
clearing (using software or hardware 
products to overwrite media with non- 
sensitive data) or purging (degaussing or 
exposing the media to a strong magnetic 
field in order to disrupt the recorded 
magnetic domains) the information from 
the electronic media. If circumstances 
warrant the destruction of the electronic 
media prior to disposal, destruction 
methods may include disintegrating, 
pulverizing, melting, incinerating, or 
shredding the media. SAMHSA expects 
the process of sanitizing paper media 
(including printer and facsimile (FAX) 
ribbons, drums, etc.) or electronic media 
to be permanent and irreversible, so that 
there is no reasonable risk that the 
information may be recovered. For the 
purpose of this rule, SAMHSA makes a 
distinction between electronic devices 
(something that has computing 
capability, such as a laptop, tablet, etc.) 
and electronic media (something that 
can be read on an electronic device, 
such as a CD/DVD, flash drive, etc.). 


Public Comments 


A commenter expressed support for 
the proposal related to disposition of 
records by discontinued programs. 
Another commenter recommended that 
the rule allow for ‘‘selective sanitizing,” 
using methods that will not require 
overwriting the entire electronic media. 
Two commenters asked about patient 
records when a program is acquired by 
another program. A commenter 
suggested that the rule should address 
situations in which a patient cannot be 
located or is deceased and cannot give 
consent. The commenter provided 
multiple suggestions relating to 
disposition of records, including permit 
more flexible means of storage; permit 
scanning and electronic storage of 
records; do not require transfer to a 
portable device; offer an option to store 
records in a production encrypted 
network storage device. This commenter 
also asserted that sanitation of 


electronic communications would not 
be feasible in organizations storing 
millions of electronic records; requiring 
storage of a portable electronic device in 
a sealed container does not add 
additional security if it is already 
encrypted; and deleting substance use 
information from records does not 
conceal the fact that someone has a 
substance use disorder but instead 
highlights the fact. 


SAMHSA Response 


SAMHSA acknowledges the support 
for the proposed provision. With regard 
to the issue of multiple sources of 
records, we have revised the language in 
the final rule to allow one year to 
complete the process of sanitizing paper 
or electronic media (see § 2.19(b)(2)(iii)). 
This change should allow for select 
patient records to be removed from both 
the specific site and any operational 
sources without disrupting other patient 
records. Regarding acquisition of one 
program by another, the § 2.19(a) 
regulatory text outlines the exceptions 
to removing patient identifying 
information from its records or 
destroying its records. 

If the patient cannot be located or is 
deceased and cannot give consent, the 
part 2 program that has discontinued 
operations or is taken over or acquired 
by another program, must remove the 
patient’s identifying information from 
its records, including sanitizing any 
associated hard copy or patient records 
or patient identifying information 
residing on electronic media, to render 
the patient identifying information non- 
retrievable in a manner consistent with 
policies and procedures under § 2.16. 

Regarding comments on more flexible 
means of electronic record storage, 
SAMHSA has revised § 2.19(b)(2) to 
allow for more flexibility. The revised 
language allows for electronic records to 
be transferred to a portable electronic 
device with implemented encryption to 
encrypt the data at rest so that there is 
a low probability of assigning meaning 
without the use of a confidential process 
or key and implemented access controls 
for the confidential process or key (see 
§ 2.19(b)(2)(i)); or transferred, along with 
a backup copy, to separate electronic 
media, so that both the records and the 
backup have implemented encryption to 
encrypt the data at rest so that there is 
a low probability of assigning meaning 
without the use of a confidential process 
or key and implemented access controls 
for the confidential process or key (see 
§ 2.19(b)(2)(ii)). For electronic storage of 
the records, if the records are scanned, 
they would have to be maintained 
consistent with § 2.19(b)(2) and the 
paper records would have to be 


destroyed consistent with § 2.16. 
Regarding portable device storage, the 
final § 2.19 language specifies that the 
portable electronic device or the original 
and backup electronic media must be 
sealed in a container along with any 
equipment needed to read or access the 
information. The sealed container 
prevents the portable electronic device 
or the original and backup electronic 
media from being separated from the 
equipment needed to read or access the 
information. 


I. Notice to Patients of Federal 
Confidentiality Requirements (§ 2.22) 


SAMHSA is adopting this section as 
proposed. Consistent with the NPRM, 
SAMHSA considers the term ‘‘written”’ 
to include both paper and electronic 
documentation. Accordingly, the notice 
to patients may be either on paper or in 
an electronic format. SAMHSA also 
revised § 2.22(b)(2) to require the 
statement regarding the reporting of 
violations to include contact 
information for the appropriate 
authorities. 


Public Comments 


Several commenters expressed 
support for the proposed provisions, 
particularly the allowing of electronic 
notice, and they encouraged the use of 
plain language and notices in languages 
other than English. Several commenters 
recommended that SAMHSA should 
make a sample notice or language 
available to covered entities. One 
commenter asked how written notice 
can be provided for encounters that are 
not in person. 

Other commenters suggested that the 
patient be given copies rather than 
written summaries of state and federal 
law; a paper report, if requested; the 
right to request and obtain restrictions; 
and a description of how patient 
information may be disclosed for 
scientific research. 


SAMHSA Response 


The final rule requires that the notice 
include contact information for the 
appropriate authorities for reporting 
violations. SAMHSA believes this 
change will make it easier for patients 
to identify to whom they should file a 
complaint of a potential violation of part 
2. Therefore, SAMHSA declines to 
include a sample complaint form at this 
time but may consider whether to issue 
one outside of this rulemaking process. 
SAMHSA also declines to require copies 
rather than summaries of state and 
federal law because the notice to 
patients of federal confidentiality 
requirements is required to provide 
citations to the federal law and 
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regulations that protect the 
confidentiality of patient records and 
including information concerning state 
laws and regulations is optional. The 
notice must also be provided in writing 
but as was discussed in Terminology 
Changes (§ 2.11), the term “in writing” 
includes both paper and electronic 
documentation. Because the purpose of 
the notice is to communicate to the 
patient the federal law and regulations 
that protect the confidentiality of 
patient records, SAMHSA declines to 
require anything additional. However, if 
a part 2 program wishes to provide 
additional information, nothing in this 
provision prohibits them from doing so. 


J. Consent Requirements (§ 2.31) 


SAMHSA is finalizing the consent 
requirements in this section, with 
certain modifications as described in 
greater detail below. In summary, 
SAMHSA is adopting all proposed 
changes to § 2.31 except for two at this 
time. In the ‘From Whom” section of 
the consent requirements (§ 2.31(a)(2)), 
SAMHSA decided not to finalize its 
proposal to remove the general 
designation option, but did make minor 
updates to the terminology in the 
current (1987) regulatory text. As 
explained in greater detail below, the 
final “From Whom” provision of the 
consent requirements specifies that a 
written consent to a disclosure of part 
2 information must include the specific 
name(s) or general designation(s) of the 
part 2 program(s), entity(ies), or 
individual(s) permitted to make the 
disclosure. SAMHSA also decided not 
to finalize the proposed requirement 
that a part 2 program or other lawful 
holder of patient identifying 
information obtain written confirmation 
from the patient that they understand 
the terms of the consent. 


SAMHSA has revised the section 
heading from “Form of written consent”’ 
to “Consent requirements.” SAMHSA 
also made revisions to the two other 
sections of the consent form 
requirements: the ““To Whom” section 
and the ‘“‘Amount and Kind” section. 
SAMHSA also revised § 2.31 to require 
a part 2 program or other lawful holder 
of patient identifying information to 
include on the consent form that 
patients, when using a general 
designation in the ‘““To Whom” section 
of the consent form, have the right to 
obtain, upon request, a List of 
Disclosures (see § 2.13). In addition, 
SAMHSA revised § 2.31 to permit 
electronic signatures to the extent that 
they are not prohibited by any 
applicable law. 


1. General Comments on Consent 
Requirements 


a. General 
Public Comments 


SAMHSA received many comments 
on the proposed rule’s updated consent 
requirements. Some commenters 
generally supported the new consent 
requirements. Other commenters listed 
various reasons for their support, 
including increased facilitation of 
informed patient decisions, increased 
patient choice with regard to protection 
of their health information, and 
increased sharing of health care records 
among providers. One commenter 
supported the use of paper and 
electronic forms of written consent. 

Many commenters, however, 
expressed general opposition to the 
proposed consent requirements. Several 
commenters argued that the proposed 
rule created unnecessary burdens for 
providers, such as staff training, 
constant updates to consent forms, and 
expensive updates to provider EHRs. 
Several commenters argued the 
proposed consent rules would create 
obstacles to information sharing and 
integrated care. Specifically, a 
commenter argued that the “To Whom” 
and ‘From Whom” format restricts who 
within organizations can view a 
patient’s records, further hampering 
coordinated care. Another commenter 
argued that the proposed consent form 
requirements would make it difficult for 
many HIEs to exchange part 2 
information, and that the new 
requirements do little to promote a 
patient’s informed consent. A couple of 
commenters argued that the proposed 
regulations would reduce access to 
substance use disorder treatment being 
added by general health care 
organizations, due to administrative 
burden and liability fears. General 
health care providers are less likely to 
add substance use disorder treatment, or 
partner or undertake projects with 
substance use disorder treatment 
providers. Another commenter stated 
this rule may result in providers not 
screening patients for substance use 
disorders and not documenting 
substance use disorder related 
information. 

According to a few commenters, the 
current part 2 regulations exceed the 
statutory requirements that led to the 
regulations. One commenter suggested 
that 42 U.S.C 290dd—2 requires consent 
to share information and does not allow 
any shared information to be used for 
prosecution. The commenter goes on to 
state that nothing in Title 42, U.S.C. 
290dd-—2 requires an explicit description 


of what information can be released, or 
requires time limits on consent. The 
commenter suggested that SAMHSA 
could reduce confusion and 
administrative burden by proposing 
revisions that are much more consistent 
with HIPAA than its current proposal. 


SAMHSA Response 


Regarding the comments on statutory 
authority, we do not agree that the 
regulations in 42 CFR part 2 exceed the 
authority provided for in 42 U.S.C. 
290dd-2. The statute specifies that 
patient identifying information may be 
disclosed in accordance with prior 
written patient consent, “but only to 
such extent under such circumstances, 
and for such purposes as may be 
allowed under regulations prescribed” 
by the Secretary. 

Regarding concerns about 
unnecessary burdens for providers, such 
as staff training, constant updates to 
consent forms, and expensive updates to 
provider EHRs, these burdens might be 
offset by the benefits of increased in 
flexibility in the consent requirements. 
With respect to obstacles to information 
sharing, one of SAMHSA’s goals for this 
rulemaking is to ensure that patients 
with substance use disorders have the 
ability to participate in and benefit from 
new integrated health care models 
without fear of putting themselves at 
risk of adverse consequences. 


Public Comments 


Some commenters stressed that 
consent forms should be easy to read, 
accessible to limited English proficiency 
patients, and should meet HIPAA’s 
plain language requirements. 
Commenters stated that language and 
literacy concerns could be barriers to 
actual understanding of the form’s 
contents. Similarly, suggesting that 
SAMHSA take into account the reading 
level standards in other health 
programs, including Medicare and 
Medicaid, one commenter asserted that 
the proposed regulations do not provide 
adequate options for an individual to 
easily and simply determine who can or 
cannot access their substance use 
disorder records. 


SAMHSA Response 


SAMHSA agrees with the commenters 
that the consent form should be written 
clearly so that the patient can easily 
understand the form. SAMHSA is 
considering issuing subregulatory 
guidance in the future to provide 
examples of forms that comply with the 
basic consent requirements in 2.31(a). In 
addition, SAMHSA encourages part 2 
programs to be sensitive to the cultural 
and linguistic composition of their 
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patient population when considering 
whether the consent form should also be 
provided in a language(s) other than 
English (e.g., Spanish). 


b. Consent Form Validity Period 
Public Comments 


Several commenters stated that a two- 
year time limit for the validity of 
consent is insufficient, with some 
commenters suggesting that consent 
forms be valid indefinitely or until 
death. For example, one commenter 
asked why SAMHSA would deny a 
person who has received substance use 
disorder treatment the right to decide 
that they want any and all information 
regarding their treatment shared with 
any and all of their health care 
providers indefinitely as needed for 
coordination of care. Another 
commenter stressed the language of 
§ 2.31(a) was confusing and requested 
clarification on the permissible length of 
time a consent is valid. 


SAMHSA Response 


Under § 2.31, a part 2-compliant 
consent form must list the date, event, 
or condition upon which the consent 
will expire, if not revoked before. Thus, 
it is not sufficient under part 2 for a 
consent form to merely state that that 
disclosures will be permitted until the 
consent is revoked by the patient. It is, 
however, permissible for a consent form 
to specify the event or condition that 
will result in revocation, such as having 
its expiration date be ‘upon my death.” 
The rule does not set a two-year time 
limit for consents, as some commenters 
thought. 


c. Technical Challenges to Proposed 
Consent Requirements 


Public Comments 


Commenters expressed concern about 
the technical challenges providers 
would face in complying with the 
proposed consent requirements. 
Generally, commenters expressed 
concern that few, if any, EHR systems 
and/or HIEs have the capability to 
segregate substance use disorder patient 
information in a way that could fully 
support the rule by reflecting the 
patient’s consent choices, and many 
providers would have to expend 
significant amounts of funds to create or 
acquire a compliant system. 
Commenters argued that if providers do 
not have data segmentation capability, 
they may simply exclude substance use 
disorder patient data from their systems, 
thus adversely impacting system 
integration and patient care. 

A couple of commenters asserted that 
EHR, HIE, and other electronic records 


systems have no way of selecting 
different levels of consent for treating 
providers. Specifically, a commenter 
stated that SAMHSA should remove 
requirements for varied levels of 
consent within a given organization 
(e.g., between departments or 
individuals), instead limiting such 
variation to HIEs that share information 
between or across organizations. A 
commenter stated that it is not feasible 
to do individual exclusionary consents 
in an HIE, especially for an entity that 
has thousands of employees across 
multiple states. 

A commenter stated that providers in 
an integrated care network may be 
precluded from performing important 
quality improvement checks because no 
set of clinically integrated network 
officials can be expected to have a direct 
treatment relationship with every 
patient in the large data pools necessary 
to drive these important public health 
efforts. 

A commenter stated that the 
confidentiality of a substance use 
disorder patient’s information should 
not be compromised if some electronic 
systems were poorly designed and 
without regard for part 2. Similarly, 
another commenter stated that 
technology should be regarded as a tool 
and should not diminish a patient’s 
privacy rights. 


SAMHSA Response 


SAMHSA acknowledges the concerns 
regarding technical challenges to the 
consent requirements and data 
segmentation more broadly. As stated 
above, SAMHSA has played a 
significant role in encouraging the use 
of health IT by behavioral health 
(substance use disorders and mental 
health) providers and towards 
minimizing technical burdens through a 
variety of activities. SAMHSA actively 
participates in the development and 
stewarding of data standards to promote 
data segmentation and interoperability. 
Specifically, the Data Segmentation for 
Privacy (DS4P) initiative within ONC’s 
Standards and Interoperability (S&I) 
Framework facilitated the development 
of standards to improve the 
interoperability of EHRs containing 
sensitive information that must be 
protected to a greater degree than other 
health information due to 42 CFR part 
2 and similar state laws. The DS4P 
standards were used in several pilot 
projects, including the Department of 
Veterans Affairs (VA)/SAMHSA Pilot, 
which implemented all the DS4P use 
cases and passed all conformance tests; 
and SAMHSA’s Opioid Treatment 
Program (OTP) Service Continuity Pilot 
that connected OTPs to an HIE to 


facilitate continuity of care during 
disasters or other unexpected 
disruptions in service. Additionally, 
DS4P standards were adopted in ONC’s 
2015 Edition final rule (80 FR 62702, 
Oct. 16, 2015) as part of the 2015 
Edition Health IT Certification Criteria 
(2015 Edition). See 45 CFR 170.315(b)(7) 
and (8). SAMHSA has also supported 
the development of the application 
branded Consent2Share, an open-source 
health IT solution based on DS4P, 
which assists in consent management 
and data segmentation and is currently 
being used by the Prince Georges 
County (Maryland) Health Department 
to manage patient consent directives 
while sharing substance use disorder 
information with an HIE. SAMHSA is 
currently updating Consent2Share, 
slated for release in late 2016, with the 
aim that its streamlined data stack and 
improved functionality will lower 
barriers to implementation in the field. 
SAMHSA is considering issuing 
subregulatory guidance in the future to 
address other technical solutions to 
complying with the regulation. 

Regarding the comment that it is not 
feasible to do individual exclusionary 
consents in an HIE, the HIE does not 
have to give the patient the option to do 
individual level consent. SAMHSA has 
provided more flexibility in the consent 
provisions in an effort to ensure that 
patients with substance use disorders 
have the ability to participate in and 
benefit from new integrated health care 
models while, at the same time, 
maintaining core confidentiality 
protections. 


d. Requests for Exemptions and 
Exceptions 


Public Comments 


Several commenters requested various 
exemptions or exceptions from the part 
2 consent requirements, including a 
public health exception similar to that 
of the HIPAA Privacy Rule (see http:// 
www.hhs.gov/hipaa/for-professionals/ 
special-topics/public-health/ 
index.html), an exemption for CCOs 
who have a treating relationship with a 
patient, an exemption for ACOs who 
have integrated delivery systems, an 
exception for state health data 
organizations that collect data under 
legislative authority and collection of 
substance use disorder data by state 
agencies, and in instances where part 2 
data may be used to improve patient 
care coordination, ensure 
interoperability, and ensure patient 
safety. One commenter requested an 
exception for care coordination 
purposes for valid and vital clinical 
reasons. 
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Regarding § 2.20 (Relationship to state 
laws), a commenter said SAMHSA 
should include an exception under part 
2, subpart D (Disclosures Without 
Patient Consent) allowing disclosures of 
substance use disorder treatment 
information based on state laws that 
authorize or compel such disclosures 
(e.g., for public health or medical 
assistance reasons). Another 
commenter, noting the role of multi- 
payer claims databases or MPCDs (also 
known as all payer claims databases 
(APCDs)), suggested that SAMHSA add 
a new section to include state health 
data organizations that collect data 
under a legislative authority, reasoning 
that these states have decades of 
experience in collecting and managing 
sensitive data with strict legal and 
policy controls. 

A commenter said SAMHSA should 
permit oral consent with documentation 
and specific information to be shared. 


SAMHSA Response 


SAMHSA appreciates the 
perspectives expressed by those who 
seek additional exceptions or 
exemptions from part 2 consent 
requirements, as well as the suggestion 
that SAMHSA permit oral consents that 
are documented in writing. 

The part 2 underlying statute, 42 
U.S.C. 290dd—2, and this rule require a 
written patient consent to disclose part 
2 information unless the disclosure is 
otherwise permitted under the part 2 
statute or regulations. The statute, for 
instance, does not provide a general 
exception to the consent requirement for 
the purpose of sharing information with 
public health officials. In certain 
circumstances, disclosures of part 2 
information may be authorized by court 
order to protect against an existing 
threat to life or of serious bodily injury 
(see § 2.63, Confidential 
communications) or to the extent 
necessary to meet a bona fide medical 
emergency in which the patient’s prior 
informed consent cannot be obtained 
(see § 2.51, Medical emergencies). 
SAMHSA may in the future consider 
issuing subregulatory guidance to 
further describe medical emergencies 
under § 2.51 and how such emergencies 
may relate to public health emergencies 
declared at the federal, state, local, and/ 
or tribal levels. SAMHSA does not, 
however, have the statutory authority to 
authorize routine disclosure of part 2 
information for public health reporting, 
surveillance, investigation or 
intervention purposes. 

With respect to § 2.20 (Relationship to 
state laws), in the proposed and final 
rules SAMHSA maintains current 
language regarding preemption. As 


discussed above, SAMHSA cannot 
develop a new general exception for 
public health or medical assistance 
purposes in light of the statute. 
Likewise, SAMHSA cannot develop a 
specific new exception for APCDs 
(hereinafter referred to as MPCDs). The 
role of MPCDs is discussed in the 
section of this preamble concerning 
research (§ 2.52). SAMHSA disagrees 
with the recommendations to consider a 
specific exemption to the consent 
requirements for ACOs that have 
integrated delivery systems, except as 
described in § 2.53 for the purposes of 
audits and evaluations. Similarly, 
SAMHSA is not accepting the 
suggestion to provide a specific 
exemption from the part 2 consent 
requirements for CCOs that have a 
treating provider relationship with a 
patient (i.e., that meet the definition of 
having a treating provider relationship 
with the patient whose information is 
being disclosed). SAMHSA believes that 
the final changes to the consent 
requirements will facilitate care 
coordination and information exchange. 
Improving the quality of substance use 
disorder care depends on effective 
collaboration of mental health, 
substance use disorder, general health 
care, and other service providers in 
coordinating patient care. However, the 
composition of a health care team varies 
widely among entities. Because 
SAMHSA wants to ensure that patient 
identifying information is only 
disclosed to those individuals and 
entities on the health care team with a 
need to know this sensitive information, 
we are limiting a general designation in 
the “To Whom” section of the consent 
requirements to those individuals or 
entities with a treating provider 
relationship. Patients may further 
designate their treating providers as 
“past,” “current,” and/or “‘future”’ 
treating providers. In addition, the 
consent form can include multiple 
authorizations in the “To Whom” 
section. A consent may allow a patient 
to designate, by name, one or more 
individuals with whom they do not 
have a treating provider relationship, 
that they authorize to receive or access 
their health care data. 


While we are not establishing specific 
additional exemptions or exclusions 
from the consent requirements at this 
time in response to commenters’ 
suggestions, in light of the longstanding 
role that contractors and subcontractors 
play in the health care system and their 
handling of part 2 data, we are issuing 
an SNPRM related to lawful holders’ use 
of contractors and subcontractors. 


e. Commenter Recommendations 


Public Comments 


Some commenters said SAMHSA 
should expand the list of persons who 
could view the patient’s medical record 
without the patient’s written consent to 
include clergy, social workers, 
psychologists and family members if in 
their professional opinion they were 
necessary for the patient’s recovery and 
progress. Another commenter 
recommended expanding the list to 
include all types of professionals 
involved in the treatment of individuals 
receiving substance use treatment into 
the respective definitions, including 
those employed in social services that 
are members of the treatment team. 


SAMHSA Response 


The definition of “treating provider 
relationship” is sufficiently broad to 
cover the necessary components of a 
patient’s care team. The statute, 42 
U.S.C. 290dd-2, does not provide an 
exception to the consent requirement for 
the purpose of sharing information with 
family members. Part 2, therefore, 
requires a part 2-compliant consent to 
disclose patient identifying information 
unless disclosure is otherwise permitted 
under the statute or regulations. 


Public Comments 


Many commenters said SAMHSA 
should provide a sample consent form. 
Some commenters stated that any 
sample consent form should not be 
mandated to allow stakeholders 
flexibility. 


SAMHSA Response 


SAMHSA may, after publication of 
this rule, issue subregulatory guidance 
that includes a sample consent form that 
meets the specifications of the final rule. 
SAMHSA has never and has no 
intention of mandating the use of a 
specific consent form. 


Public Comments 


Several commenters generally 
supported the use of electronic 
signatures. Several commenters only 
supported electronic signatures when 
also authorized under state law. A 
couple of commenters requested 
guidance on what steps the provider 
would need to take to verify identity, 
provide the required prefatory 
information and to obtain a substance 
use disorder patient’s electronic 
signature. A commenter requested 
guidance from SAMHSA on the areas 
modified by SAMHSA. A commenter 
said SAMHSA should identify the 
signatory and enforceability 
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consideration of electronic consent 
through reference to other laws. 


SAMHSA Response 


Because there is no single federal law 
on electronic signatures and there may 
be variation in state laws, SAMHSA 
recommends that stakeholders consult 
their attorneys to ensure they are in 
compliance with all applicable laws. 


Public Comments 


Some commenters made 
recommendations for patient privacy 
protection. One commenter noted that 
the use of secure, certified health IT, 
networks, and devices, especially for the 
transmission of patient records, does not 
appear to be included in the proposed 
provisions. Another commenter said 
meaningful consents could only be 
achieved by adding statements that 
inform the patient of the unprecedented 
risks of making highly sensitive 
substance use disorder information 
accessible throughout integrated health 
care systems or electronic health 


information systems that cannot be 
made secure. 

A commenter stated the proposed rule 
did not address revocation or refusal of 
consent. Similarly, another commenter 
recommended adding language that 
makes clear that revocation of consent 
prevents unauthorized access but does 
not remove the information from the 
electronic record. 


SAMHSA Response 


Section 2.16 addresses security for 
records and requires formal policies and 
procedures to reasonably protect against 
unauthorized use and disclosures of 
patient identifying information and to 
protect against reasonably anticipated 
threats or hazards to the security of 
patient identifying information. 
Whereas this provision does not 
specifically address the use of certified 
health IT networks, and devices, they 
may be used as long as the requirements 
of section 2.16 are met. Regarding 
revocation of consent, § 2.31(a)(6) 
requires: ‘‘A statement that the consent 


is subject to revocation at any time 
except to the extent that the part 2 
program or other lawful holder of 
patient identifying information that is 
permitted to make the disclosure has 
already acted in reliance on it. Acting in 
reliance includes the provision of 
treatment services in reliance on a valid 
consent to disclose information to a 
third-party payer.” To the extent an 
individual refuses to consent to the 
disclosure of their patient identifying 
information, part 2 prohibits such 
disclosure unless otherwise permitted 
under the statute or regulations (e.g., 
audit or evaluation, or scientific 
research). 


2. To Whom 


SAMHSA is adopting this aspect of 
the proposal. SAMHSA has moved the 
former § 2.31(a)(2), ““To Whom” 
provision, to § 2.31(a)(4). The following 
table provides an overview of the 
options permitted when completing the 
designation in the ‘““To Whom” section 
of the consent form. 


TABLE 1—DESIGNATING INDIVIDUALS AND ORGANIZATIONS IN THE “TO WHOM” SECTION OF THE CONSENT FORM 























Individual or Tisating provier . 
42 CFR 2.31 entity Agena eed I eee Primary designation Bas Chat 
being disclosed 

(013) () eee Individual ............. ce WES: acntniinniiercouncnsay Name of individual(s) (e.g., Jane Doe, | None. 
MD). 

(a)(4)() scanned Individual ............ ee Le Be npr errr rererye Ge tester cere Name of individual(s) (e.g., John Doe) | None. 

(0191 (1) ere BY cn anne cisteinn MBS oa eeennnuliscanwcaneenes Name of entity (e.g., Lakeview County | None. 
Hospital). 

(A)(4)(i1I)(A) eee eeeteeeeeeeeeeee Entity’ iA eaaneiaa. NOt hieteiesbesstisseeetet: Name of entity that is a third-party | None. 
payer as specified under 
§ 2.31(a)(4)(iii)(A) (e.g., Medicare). 

(€)(4)(iii)(B) oo. eee eee eeeeeee Entity asics especies INOoistaiadAincaed Name of entity that is not covered by | At least one of the following: 
§ 2.31(a)(4)(iii)(A) (e.g., HIE, or re- | 1. The name(s) of an individual partici- 
search institution). pant(s) (e.g., Jane Doe, MD, or 

John Doe). 

2. The name(s) of an entity partici- 
pant(s) with a treating provider rela- 
tionship with the patient whose in- 
formation is being disclosed (e.g., 
Lakeview County Hospital). 

3. A general designation of an indi- 
vidual or entity participant(s) or a 
class of participants limited to those 
participants who have a treating 
provider relationship with the patient 
whose information is being dis- 
closed (e.g., my current and future 
treating providers). 

If a general designation is used, the a. General control of their substance use disorder 


entity must have a mechanism in place 
to determine whether a treating provider 
relationship exists with the patient 
whose information is being disclosed. 
Patients may further designate their 
treating providers as “‘past,”’ ‘‘current,”’ 
and/or ‘future’ treating providers. In 
addition, a patient may designate, by 
name, one or more individuals on their 
health care team with whom they do not 
have a treating provider relationship. 


Public Comments 


Several commenters generally agreed 
with the proposed “‘To whom” section 
of the consent requirements, stating that 
it allows patients to disclose substance 
use disorder information to past, 
current, or future treating providers; 
would improve information and data 
sharing for health care, especially for 
entities that are continually adding new 
members; allow patients to remain in 


information and understand who had 
access to their data. One commenter 
supported the express permission to 
designate the name of the entity for 
third-party payers that require patient 
identifying information for purposes of 
reimbursement of services rendered to 
the patient. 

Many commenters offered general 
support for the proposed rule’s general 
designation. Some commenters stated 
that the general designation creates a 
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balance between patient privacy and 
operational functions, facilitates 
internal communication within an 
integrated delivery system, streamlines 
the consent process, reduces 
administration burdens, creates new 
flexibility, may help facilitate increased 
behavioral health participation in some 
HIEs around the country, and would 
help improve the quality and continuity 
of care within integrated delivery 
models. A commenter supported the 
expansion of the use of a general 
designation when there is a treating 
provider relationship, but said it is 
unworkable to require an updated 
consent form every time new entities are 
added to the “‘umbrella’’ consent. 

Some commenters generally disagreed 
with the proposed “‘To Whom” 
provision of the consent requirements. 
Several commenters argued that the 
proposal was burdensome, would create 
additional complexity, would reduce 
information sharing, and would not 
improve patient privacy protections or 
facilitate informed consent. Commenters 
stated it is unnecessary and impractical 
to require the consent form to name 
every HIE and other intermediaries that 
may assist in transmitting or providing 
access to the patient’s information. A 
couple of commenters stated the 
proposed rule would restrict the ability 
of patients to specifically name an entity 
or to authorize part 2 programs to send 
their information to entities that do not 
have a treatment relationship [treating 
provider relationship]. Another 
commenter said the regulatory preface 
mentions a number of very specific 
drivers of this purported need for 
broader sharing (such as HIEs), but the 
regulatory language itself contains no 
such limitation and offers HIE only as 
an illustrative example. 

Many commenters specifically did not 
support the general designation in the 
“To Whom” section. Some commenters 
claimed that the proposal presumes 
each person entering a treatment 
process has the ability to understand the 
longer-term consequences, or that 
substance use disorder patients, who are 
under tremendous stress, would simply 
choose the general designation because 
it was easiest. A commenter said the 
general designation does not guarantee 
that a HIE or other organizations will 
send all patient data, which could be a 
critical source of information in the case 
of an emergency. 


SAMHSA Response 


A patient may consent to designate, 
for example, an HIE (an entity that does 
not have a treating provider relationship 
with the patient whose information is 
being disclosed) and “‘all my treating 


providers” (a general designation of an 
individual or entity participant(s) or a 
class of individual or entity participants 
that must be limited to a participant(s) 
who has a treating provider relationship 
with the patient whose information is 
being disclosed). Using the same 
concept, an ACO, pursuant to a general 
designation, may disclose information 
described in the ““Amount and Kind” 
section of a consent form (explained 
further in 3. Amount and Kind) to “‘all 
my entity treating providers.” Ifa 
general designation is used, the entity 
must have a mechanism in place to 
determine whether a treating provider 
relationship exists with the patient 
whose information is being disclosed 
(e.g., an attestation). In the HIE and ACO 
examples above, the entity that does not 
have a treating provider relationship 
with the patient whose information is 
being disclosed and serves as the 
intermediary may not further disclose 
the patient identifying information 
except to those providers who have a 
treating provider relationship with the 
patient whose information is being 
disclosed that can be verified by the 
intermediary. The prohibition on re- 
disclosure notice must be provided with 
the disclosure because it also applies to 
the treating provider(s) who receive the 
information from the entity that serves 
as an intermediary. In addition, a copy 
of the part 2-compliant consent form or 
the pertinent information on the consent 
form necessary for the treating 
provider(s) to comply with the signed 
consent should be provided with the 
disclosure. 


The patient retains the ability to name 
only specific individuals or entities to 
whom their records will be disclosed. 
Patients have the option to use a general 
designation to designate entities with 
which they have a treating provider 
relationship, but are not required to do 
so. Although SAMHSA received 
comments suggesting that the proposed 
tule makes it more difficult to disclose 
necessary information to an 
organization that does not have a 
treating provider relationship with the 
patient whose information is being 
disclosed other than a 3rd party payer, 
the commenters did not provide 
examples of such entities. The final rule 
permits the ““To Whom” section of the 
consent form to designate disclosure of 
information to an entity that does not 
have a treating provider relationship 
with the patient whose information is 
being disclosed, as long as the consent 
also includes one of three options 
specified in § 2.31(a)(4)(iii)(B), for 
example, include the name(s) of an 
individual participant(s). 


If the patient designates all my 
current treating providers, and another 
of the patient’s treating providers 
becomes a participant in the entity that 
does not have a treating provider 
relationship with the patient and serves 
as the intermediary, a new consent form 
would not be required. For example, if 
a patient designates an HIE (an entity 
that does not have a treating provider 
relationship with the patient whose 
information is being disclosed and 
serves as an intermediary) and “my 
current treating providers,” and 
subsequently another of the patient’s 
treating providers becomes a participant 
in the HIE, a new consent form would 
not be required. In addition, more than 
one HIE or other intermediary may be 
listed on the consent form. With respect 
to burden, SAMHSA acknowledges that 
there may be burdens associated with 
the revised consent requirements. 
SAMHSA made these changes based on 
comments from stakeholders in the field 
and SAMHSA strongly believes that the 
changes to ““To Whom”’ will increase 
flexibility for patients and providers. 


b. Determination of Treating Provider 
Relationship 


Public Comments 


A commenter agreed with SAMHSA’s 
suggestion that entities must have an 
established mechanism for determining 
whether a treating provider relationship 
exists. However, several commenters 
stated that determining who has a 
treating provider relationship would be 
difficult. Commenters expressed 
concern that entities do not currently 
have mechanisms in place to determine 
whether a treating provider relationship 
exists with the patient whose 
information is being disclosed. Another 
commenter asked how an HIE would be 
able to determine which participants 
have a past/present/future treating 
provider relationship with the patient. 
A commenter stated that creating this 
mechanism would require additional 
resources and would discourage entities 
from sharing necessary data. Another 
commenter recommended a provision 
that exempts the provider from liability 
when relying in good faith on an 
attestation or representation from an 
outside treating provider. 

Several commenters expressed 
concern that once a consent reflecting a 
general designation of recipients with a 
treating provider relationship has been 
executed and relied upon by the part 2 
program, there is no method by which 
the program can ensure that the 
recipients are properly authenticated by 
the HIE or research institution. 
Commenters suggested the proposed 
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rule should specify that the HIE, ACOs, 
CCOs or research institution, as well as 
the recipient that has a treating provider 
relationship with the patient, be 
responsible for ensuring that the 
recipient is actually a treating provider 
and that the disclosure is appropriate 
under part 2. 

A commenter requested clarification 
on whether care managers would be 
included as having a ‘‘treating provider 
relationship.’’ Another commenter 
requested clarification as to whether 
care coordinating entities that have a 
treating provider relationship may 
assign additional designees under the 
general designation (e.g., treatment 
providers with different levels of care or 
recovery services). 

Commenters recommended the 
language in the ‘““To Whom” clause state 
“my treating providers”’ or ‘“‘my service 
providers.” A commenter recommended 
“my substance use disorder providers” 
or “‘my treating providers except Dr. 
John Doe.”’ Another commenter 
recommended ‘‘my treating providers 
and transferring HIEs”’ 


SAMHSA Response 


Although SAMHSA understands the 
concerns about further clarifying when 
an entity is considered a treating 
provider, it respectfully declines to 
provide more specificity in the final rule 
than was included in the NPRM. The 
arrangements between treating 
providers and other entities evolve too 
rapidly to be comprehensively 
addressed in regulations. Although, 
SAMHSA has not revised the proposed 
text, SAMHSA may provide additional 
subregulatory guidance in the future if 
further clarification is needed. In 
addition, only individuals and entities 
that meet the definition of having a 
treating provider relationship with a 
patient are considered treating 
providers. The determination is fact- 
specific. Consistent with the NPRM, 
SAMHSA continues to encourage 
innovative solutions to implement this 
provision. For example, an HIE could 
have a policy in place requiring their 
participant providers to attest to have a 
treating provider relationship with a 
patient, or provide a patient portal 
where patients designate their treating 
providers. 


c. Requests for Clarification 
Public Comments 


Some commenters requested 
clarification regarding the patient’s role 
in consent, including the patient’s 
ability to alter their consent, how 
patients can authorize disclosures to 
non-health entities other than third- 


party payers, and what the impact 
would be if a patient failed to designate 
past, present, and future disclosures. 
One commenter stated that, if a patient 
designates an entity without a treating 
provider relationship and “‘my treating 
providers” without further specifying 
“past, present, or future,” it should be 
assumed that the intent is to designate 
“current” treating providers. 


SAMHSA Response 


Patients may designate on the consent 
form a specific individual(s) with whom 
they either have or do not have a 
treating provider relationship and/or a 
specific entity(-ies) with whom they 
have a treating provider relationship. 
Consents for disclosures to entities that 
do not have a treating provider 
relationship (other than third-party 
payers) require at least one of the 
following: (1) The name(s) of an 
individual participant(s); (2) the name(s) 
of an entity participant(s) that has a 
treating provider relationship with the 
patient whose information is being 
disclosed; or (3) a general designation of 
an individual or entity participant(s) or 
a Class of participants that must be 
limited to a participant(s) who has a 
treating provider relationship with the 
patient whose information is being 
disclosed. 

If a patient uses a general designation 
and lists ‘‘my treating providers”’ 
without further specifying “‘past, 
current, or future,” it should be 
presumed that the intent is to designate 
“current” treating providers. Finally, a 
patient can revoke a consent at any 
time, except to the extent that the part 
2 program or other lawful holder of 
patient identifying information that is 
permitted to make the disclosure has 
already acted in reliance on it. Acting in 
reliance includes the provision of 
treatment services in reliance on a valid 
consent to disclose information to a 
third-party payer. 


Public Comments 


Other commenters requested 
clarification regarding entity roles, 
including whether a CCO can request a 
single consent for multiple purposes 
(e.g., care coordination, treatment, and 
payment); whether providers need to 
maintain the variety of forms to meet 
the requirements of § 2.31(a)(4); what 
limitations (if any) would be placed on 
HIE entities or research institutions 
using substance use disorder 
information received via the new 
consent process, specifically whether 
the disclosure would not be limited to 
treatment purposes; and whether an 
HIE-to-HIE disclosure is permissible 
and, if so, for what purposes. A few 


commenters asked whether it would be 
permissible to list multiple HIEs on a 
consent form. Similarly, another 
commenter recommended SAMHSA 
adopt a broad definition of an HIE to 
allow a ‘“‘network of networks,’ such as 
the statewide health information 
network to be considered an HIE. A 
commenter requested clarification as to 
whether 42 CFR part 2 information can 
flow through other HIEs not designated 
on the consent form to transfer the 
information to the recipient. 

A few commenters requested 
clarification on how the proposed 
changes would impact multi-party 
consent forms that allow disclosure 
“among and between” all the parties 
listed on the form. Similarly, a 
commenter requested clarification 
regarding the ‘““To Whom” and “From 
Whom” definitions and how they would 
apply between two providers to whom 
a patient has independently given 
consent to receive information, urging 
that the definitions be general and 
consistent so that they allow for bi- 
directional flow of information. 

A commenter said SAMHSA should 
clarify that the provision of general 
consent to disclosure of substance use 
disorder treatment also applies to 
disclosure of information between those 
responsible for treatment in the 
community and those responsible for 
treatment in correctional settings. 


SAMHSA Response 


Under the changes to the consent 
requirements, an entity that does not 
have a treating provider relationship 
with the patient may further disclose, 
with a part 2-compliant consent, to a 
named individual who does not have a 
treating provider relationship with the 
patient. 

Section 2.31(a)(4) of the consent 
requirements may be completed with 
one or more recipients. Section 
2.31(a)(5) of the consent requirements 
requires that the consent form include 
the purpose of the disclosure. Part 2 
allows the use of a single consent form 
authorizing the disclosure of part 2 
patient information to different 
recipients for different purposes. 
However, part 2 also requires a consent 
form to specify the amount and kind of 
information that can be disclosed, 
including an explicit description of the 
substance use disorder information that 
may be disclosed, to each of the 
recipients named in the consent. The 
amount of information to be disclosed 
“must be limited to that information 
which is necessary to carry out the 
purpose of the disclosure (see § 2.13(a)). 
This will vary depending on the 
different purposes for which different 
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recipients are being allowed to access or 
receive the information. Thus the 
consent form would have to be 
structured to make it clear what 
information may be given to each of the 
recipients, and for which purposes. 

Disclosure of patient identifying 
information made with the patient’s 
written consent must be accompanied 
by a written notice regarding the 
prohibition on re-disclosure (see § 2.32). 
This notice informs them that 42 CFR 
part 2 prohibits the recipients of the 
patient identifying information from re- 
disclosing it to any individual or 
organization not specified in the 
consent form unless otherwise 
permitted under the part 2 statute or 
regulations. 

The rule includes an additional 
patient safeguard, in which patients 
who have included a general 
designation in the ‘““To Whom”’ section 
of their consent form (see § 2.31) must 
be provided, upon request, a list of 
entities to which their information has 
been disclosed pursuant to the general 
designation. 

With respect to multi-party consent, 
SAMHSA is not finalizing the “From 
Whom” provision (2.31(a)(2)) as 
proposed for the reasons discussed in 4. 
“From Whom.” Therefore, consents may 
authorize disclosures ‘‘among and 
between” the parties designated in the 
“To Whom” and ‘From Whom”’ 
sections of the consent form. 


Public Comments 


Some commenters requested 
clarification regarding aspects of the 
“To Whom” provision, such as what 
would happen if a person does not want 
to give a general designation; how the 
process of designating past, present, and 
future treating providers would work in 
practice; whether a Performing Provider 
System (PPS) could be assigned in the 
“To Whom” section of the consent form; 
and whether a health care organization 
would be an appropriate entity to be 
named for disclosure. 

With regard to third-party payers, a 
commenter asked whether a general 
designation for third-party payers could 
be used for other purposes, such as care 
coordination, population health, or 
other services that may fall under the 
definition of health care operations 
within the meaning of HIPAA. Some 
commenters recommended that third- 
party payers should not have to be listed 
in the “To Whom” section of the 
consent form. 


SAMHSA Response 


With regard to third-party payers, the 
regulations require written consent for 
disclosure of patient identifying 


information to third-party payers. The 
statute does not provide an exception to 
this consent requirement. However, 
with respect to patients who have both 
a substance use disorder and a mental 
illness, § 2.15 of the regulations states 
that, in the case of a patient, other than 
a minor or one who has been 
adjudicated incompetent, that for any 
period suffers from a medical condition 
that prevents knowing or effective 
action on their own behalf, the part 2 
program director may exercise the right 
of the patient to consent to a disclosure 
under subpart C of this part for the sole 
purpose of obtaining payment for 
services from a third-party payer. In 
addition, in the case of minor patients, 
§ 2.14 of the regulations states the 
regulations do not prohibit a part 2 
program from refusing to provide 
treatment until the minor patient 
consents to the disclosure necessary to 
obtain reimbursement, but refusal to 
provide treatment may be prohibited 
under a state or local law requiring the 
program to furnish the service 
irrespective of ability to pay. 

If an individual does not want to use 
a general designation, they have several 
other options, which are enumerated in 
§ 2.31(a)(4) of this final rule. 

If a patient does not designate 
“current, past, and/or future” treating 
provider(s), the presumption is that the 
patient means “current treating 
provider(s).’”” SAMHSA may, after 
publication of this final rule, also 
provide further clarification on this 
process of designating past, present, and 
future treating providers in 
subregulatory guidance. 

Whether a PPS or a health care 
organization may be listed in the “To 
Whom.” section of the consent form 
depends upon whether they have a 
treating provider relationship with the 
patient whose information is being 
disclosed. If an entity does have a 
treating provider relationship with the 
patient, the entity name may be listed 
on the consent (see § 2.31(a)(4)(ii)). 
However, if the entity does not have a 
treating provider relationship with the 
patient whose information is being 
disclosed, and is not a third-party payer, 
the entity name may be listed on the 
consent form as long as one or more of 
the following is also listed: (1) The 
name(s) of an individual participant(s); 
(2) the name(s) of an entity 
participant(s) that has a treating 
provider relationship with the patient 
whose information is being disclosed; or 
(3) a general designation of an 
individual or entity participant(s) or a 
class of participants that must be 
limited to those participants who have 
a treating provider relationship with the 


patient whose information is being 
disclosed. 


SAMHSA plans to address issues 
concerning third-party payer use and 
disclosure of part 2 information in 
greater detail in an SNPRM. 


d. Commenter Recommendations 


Public Comments 


Commenters recommended more 
flexibility in the ““To Whom”’ section. 
Commenters recommended that 
SAMHSA expand the general 
designation to include all of the various 
participants in the modern health care 
system and their respective activities: 
Providers, care managers, health plans 
and ACOs, MCO services, CCOs, and 
similar integrated health care networks. 
One commenter said the general 
designation should include those who 
do not have a treating provider 
relationship with the patient but who/ 
which require access to the patient’s 
information solely in relation to 
fulfilling a specific function for the 
benefit of the individual or entity that 
has the treating provider relationship 
with specific patients. Another 
commenter requested that SAMHSA 
allow patients to generally consent to 
disclose information to any company 
assisting in processing their insurance 
claims. Another commenter suggested 
that patients be able to name as many 
treating providers as they wish under 
the general designation. One commenter 
said patients should be permitted to 
provide a generalized consent for all of 
their previous providers to disclose 
information. One commenter said 
generic consent (i.e., disclosure through 
an HIE) is all that should be required 
because SAMHSA has previously 
provided guidance that HIEs may have 
access to part 2 information under a 
QSO agreement without patient consent. 
A commenter said the rule should allow 
for the general designation of certain 
types of non-treating providers, rather 
than require a listing of the name of 
each entity. 


In contrast, other commenters 
suggested increased limitations on the 
“To Whom” designation. A commenter 
proposed excluding health information 
networks and health information 
organizations (HIOs) from being 
specifically identified on patient 
consent form because they are not true 
recipients of patient health information 
and simply facilitate electronic 
exchange of information. One 
commenter recommended that 
SAMHSA preserve the patient’s right of 
consent to disclosures only to 
specifically identified practitioners 
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involved in their mental health 
treatment. 

Regarding third-party payers, several 
commenters recommended allowing 
third-party payers to act as 
intermediaries for purposes of sharing 
substance use disorder information, 
allowing them to share information with 
all of the patient’s treating providers. 
Another commenter requested general 
designation for third-party payers. To 
accommodate the operational realities of 
Medicaid, a commenter stressed that the 
rule should explicitly provide that 
consent to disclose covered data to 
Medicaid constitutes consent to release 
such data to Medicaid or to the payer’s 
contracted entity (e.g. the MCO) to 
apply to both entities as a third-party 
payer. Similarly, another commenter 
recommended that the rule consider a 
designation to the name of the state 
agency, the MCO, or simply Medicaid as 
consent that applies to the state and its 
contracted delivery system, reasoning 
that not all Medicaid beneficiaries 
understand their health care system. 


SAMHSA Response 


SAMHSA acknowledges the 
commenters’ concerns related to the 
recommendations above. SAMHSA has 
concluded that the proposed changes to 
the consent requirements would 
facilitate care coordination and 
information exchange. Improving the 
quality of substance use disorder care 
depends on effective collaboration of 
mental health, substance use disorder, 
general health care, and other service 
providers in coordinating patient care. 
However, the composition of a health 
care team varies widely among entities. 
Because SAMHSA wants to ensure that 
patient identifying information is only 
disclosed to those individuals and 
entities on the health care team with a 
need to know this sensitive information, 
we are limiting a general designation to 
those individuals or entities with a 
treating provider relationship. Patients 
may further designate their treating 
providers as ‘‘past,”’ ‘‘current,”’ and/or 
“future’’ treating providers. In addition, 
a patient may designate, by name, one 
or more individuals on their health care 
team with whom they do not have a 
treating provider relationship. SAMHSA 
clarifies that a QSO can be used to share 
part 2 information with the HIE when 
the HIE is a service provider to the part 
2 program, but the QSO cannot be used 
to share information with the members 
of an HIE without patient consent. 

As for third-party payers and others, 
SAMHSA must balance the need for and 
benefits of care coordination with the 
need for consent and the requirements 
of the part 2 governing statute. 


SAMHSA declines to adopt commenter 
recommendations to allow third-party 
payers to serve as intermediaries that 
could share information with all the 
patient’s treating providers because we 
conclude that the ‘““To Whom” consent 
requirements are sufficiently broad to 
cover the necessary components of a 
patient’s care team. For purposes of 
payment-related activities, to the extent 
that federal or state law authorizes or 
requires that the Medicaid or Medicare 
agency or program share data or enter 
into a contractual arrangement or other 
formal agreements to do so, consent to 
disclose patient identifying information 
to the agencies or programs (as a third- 
party payer) under section 
2.31(a)(4)(iii)(A) is considered to extend 
to the contractors and subcontractors of 
the agencies or programs. 

Commenters have provided SAMHSA 
with informative feedback on how 
lawful holders, including third-party 
payers and others within the healthcare 
industry, use health data or hire others 
to use health data on their behalf to 
provide operational services such as 
independent auditing, legal services, 
claims processing, plan pricing and 
other functions that are key to the day- 
to-day operation of entities subject to 
this rule. Those comments indicate that 
there may be varying interpretations of 
the part 2 rule’s restrictions on lawful 
holders and their contractors’ and 
subcontractors’ use and disclosure of 
part 2-covered data for purposes of 
carrying out payment, health care 
operations, and other health care related 
activities. In consideration of this 
feedback and given the critical role 
third-party payers, other lawful holders, 
and their contractors and subcontractors 
play in the provision of health care 
services, SAMHSA is issuing an SNPRM 
to seek further comments and 
information on this matter before 
establishing any appropriate 
restrictions. 


Public Comments 


Instead of listing organizations in the 
“To Whom” section, a commenter 
recommended that a consent form 
should specify the reasons for 
disclosure (e.g. care coordination, 
management of benefits). 


SAMHSA Response 


In addition to the ‘“To Whom” 
section, the consent form is required to 
include how much and want kind of 
information is to be disclosed, including 
an explicit description of the substance 
use disorder information that may be 
disclosed. In addition, the consent form 
must include the purpose of the 
disclosure. All the required elements 


must be included on the consent form. 
SAMHSA declines to make the 
suggested change to allow the 
“Purpose” of the consent to dictate the 
recipients of the patient identifying 
information. The intent of SAMHSA’s 
approach to the ‘““To Whom” section of 
the consent form is to provide the 
patient options for the degree to which 
they will be able to identify, at the point 
of consent, who they are authorizing to 
receive their information. 


Public Comments 


A commenter stated that SAMHSA 
should explicitly recognize and include 
health plan care services, such as 
managed care, care coordination, case 
management and other integrated care 
activities as part of the required 
elements for written consent for entities 
that do not have a treating provider 
relationship with the patient under 
proposed § 2.31(a)(4)(iv). 

A commenter stated any privacy 
concerns could be fixed by requiring (1) 
a general designation of a class of 
participants with a treating provider 
relationship; and (2) that the disclosing 
organization provide patients, upon 
request, a list entities to which their 
information has been disclosed. 

A commenter proposed that 
§ 2.31(a)(4) be revised to allow a general 
designation to be used whenever there 
is a “‘treating provider relationship” or 
a “care management relationship.” The 
commenter stated the ‘‘care 
management relationship” should be 
defined to include the concepts of 
assistance in obtaining appropriate care, 
care coordination, and assistance in the 
implementation of a plan of medical 
care. 

A couple of commenters suggested 
SAMHSA revise proposed 
§ 2.31(a)(4)(iv)(C) to read: “. . .toa 
participant(s) who has a treating 
provider relationship with the patient at 
the time the disclosure is made.” (Note, 
the relevant text is now found at 
§ 2.31(a)(4)(iii)(B)(3) due to renumbering 
of the final regulation.) The commenters 
stated this would make it clear that 
participants who develop a treatment 
relationship with the patient after the 
date the consent can gain access. 

Commenters recommended that the 
general authorization mirror the 
authorization under HIPAA to ease the 
transition and reduce compliance 
issues. 

A commenter recommended 
SAMHSA work with other federal 
entities that are exploring parity 
enforcement to ensure that the proposed 
rule changes would not create barriers 
for states working on enforcement of the 
parity law. 
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If a patient notes their information 
may be shared with current and future 
health care providers, one commenter 
said the specific name of the ACO or 
other provider should not be required. 


SAMHSA Response 


SAMHSA declines to explicitly 
recognize and include health plan care 
services, such as managed care, care 
coordination, case management and 
other integrated care activities as part of 
the required elements for written 
consent for entities that do not have a 
treating provider relationship with the 
patient under proposed § 2.31(a)(4)(iv), 
or broaden the “treating provider 
relationship” to also include a ‘‘care 
management relationship.” The 
definition of ‘“Treating provider 
relationship” is sufficiently broad to 
cover the necessary components of a 
patient’s care team. 

A commenter stated any privacy 
concerns could be fixed by requiring (1) 
a general designation of a class of 
participants with a treating provider 
relationship; and (2) that the disclosing 
organization provide patients, upon 
request, a list of entities to which their 
information has been disclosed. Another 
commenter wanted to delete the 
requirement of naming the entity 
without a treating provider relationship 
with the patient whose information is 
being disclosed. SAMHSA is retaining 
the consent requirements discussed in 
this section of the preamble because we 
believe it balances increased flexibility 
with necessary privacy protections. 

SAMHSA declines to mirror the 
authorization under HIPAA to ease the 
transition and reduce compliance 
issues, as a commenter suggested, 
because, due to its targeted population, 
part 2 provides more stringent federal 
protections than most other health 
privacy laws, including HIPAA. 

SAMHSA may, after publication of 
this final rule, provide further 
subregulatory guidance on specific 
concerns, such as states working on 
enforcement of the parity law. 


Public Comments 


Several commenters recommended 
splitting proposed § 2.31(a)(4)(iv) into 
two sections. The first would contain 
special provisions governing disclosures 
made through HIEs and would retain 
the references to “individual 
participants” and “‘entity participants.” 
The second would cover all entities that 
do not fall into any of the other 
categories in proposed paragraph 
(a)(4)(iv); in these cases, the specific 
entity to which disclosure is made 
would have to be specified. 


SAMHSA Response 


SAMHSA proposed § 2.31(a)(4)(iv) to 
apply to an entity (1) that does not have 
a treating provider relationship with the 
patient whose information is being 
disclosed, and (2) is not a third-party 
payer. Therefore, SAMHSA declines to 
make the recommended changes. We 
note, however, that due to re-numbering 
the proposed § 2.31(a)(4)(iv) provision is 
found in the final regulation at 
§ 2.31(a)(4) (iii) (B). 


Public Comments 


A commenter recommended that the 
use of multi-party consents be 
permissible even when the ‘“To Whom”’ 
section contains a general designation, 
and that the party(ies) named in the ‘‘To 
Whom” section be permitted to re- 
disclose patient information if the 
patient has consented to such re- 
disclosures in order to allow patients’ 
treating providers to communicate with 
each other (pursuant to patient consent) 
within networks like HIE and integrated 
care organizations. Another commenter 
stated that the general designation is a 
step in the right direction but the 
proposed rule would add a burdensome 
accounting, which is not required for 
disclosures pursuant to a valid 
authorization under HIPAA. 


SAMHSA Response 


On the issue of multi-party consent, a 
multi-party consent can be achieved by 
allowing for bi-directional 
communication using the general 
designation in both the ““To Whom” and 
“From Whom” sections of the consent. 
It can also be created by naming 
multiple individuals with or without a 
treating provider relationship with the 
patient whose information is being 
disclosed or entities with a treating 
provider relationship with the patient 
whose information is being disclosed in 
the “To Whom” and ‘From Whom” 
sections of the consent. The key is to 
make sure the consent form authorizes 
each party to disclose to the other ones 
the information specified and for the 
purpose specified, in the consent. The 
“To Whom” and ‘From Whom” 
sections of the consent provisions of the 
final rule will permit multi-party 
consents. 

With respect to the comment 
regarding the additional burden of the 
List of Disclosures associated with the 
use of a general designation on the 
consent form, SAMHSA addressed this 
issue in Section F.3, in the preamble 
discussion of Confidentiality 
Restrictions and Safeguards (§ 2.3). That 
discussion emphasizes the fact that 
there is no timeframe in which part 2 


programs and lawful holders need to 
comply with the List of Disclosures 
systems requirements; the final rule 
only requires that if they choose to 
disclose information pursuant to a 
general designation on the “To Whom”’ 
part of the consent form, they must also 
be capable of providing a List of 
Disclosures upon request per § 2.13(d). 


e. Proposed Alternative Approach for 
“To Whom” Section 


SAMHSA is not finalizing the 
alternative approach to the ‘““To Whom’ 
consent provision. In the NPRM, 
SAMHSA proposed an alternative 
approach for the ‘““To Whom” aspect of 
a consent form that attempted to reflect 
the same policy goal as the proposed 
regulation text while attempting to 
simplify the language that would appear 
on the consent form. This alternative 
approach would not change the existing 
language in the ““‘To Whom” section of 
the consent form. Under this alternative 
approach, SAMHSA proposed to add a 
definition of “organization” to § 2.11. 
Organization would mean, for purposes 
of § 2.31, (a) an organization that is a 
treating provider of the patient whose 
information is being disclosed; or (b) an 
organization that is a third-party payer 
that requires patient identifying 
information for the purpose of 
reimbursement for services rendered to 
the patient by a part 2 program; or (c) 
an organization that is not a treating 
provider of the patient whose 
information is being disclosed but that 
serves as an intermediary in 
implementing the patient’s consent by 
providing patient identifying 
information to its members or 
participants that have a treating 
provider relationship, as defined in 
§ 2.11, or as otherwise specified by the 
patient. 


’ 


Public Comments 


No commenters expressed support for 
the proposed rule’s alternative approach 
to required elements as stated. One 
commenter said the alternative 
approach would impose fewer burdens 
on patients and part 2 entities but did 
not agree with the restriction on 
dissemination to only treating entities. 
Another commenter supported the 
proposed alternative if it results in only 
the name of the HIE and not its 
participants being listed on the consent 
form. 

Several commenters expressed 
general opposition to the proposed 
alternative approach. One commenter 
stated that redefining ‘‘organization”’ to 
make it more expansive would lead to 
erosion of trust and would have a 
chilling effect on the communications 
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necessary for effective treatment. 
Another commenter stated that a more 
expansive definition of ‘‘organization” 
may defeat a patient’s intent because a 
patient would have less notice that their 
information could be disclosed to an 
entity not specifically named on the 
consent form. 


SAMHSA Response 


Based on the comments, SAMHSA 
has not adopted the alternate approach. 
Although a few commenters supported 
the adoption of the broad definition of 
“organization,” none provided 
sufficient information to determine how 
that definition could be implemented to 
protect the patient’s information from 
disclosure to parties without a need to 
know. It is also unclear how the List of 
Disclosures requirement would be 
applied under a broader definition of 
“organization.’”’ SAMHSA, therefore, has 
not adopted a definition of 
“organization.’”’ SAMHSA disagrees 
with the recommendation that 
disclosure to a wider range of entities 
should be allowed without the patient’s 
specific consent. 


3. Amount and Kind 


SAMHSA is adopting this aspect of 
the proposal. SAMHSA has moved the 
former § 2.31(a)(5), “Amount and Kind” 
provision, to § 2.31(a)(3) and revised the 
provision to require the consent form to 
explicitly describe the substance use 
disorder-related information to be 
disclosed. The designation of the 
“Amount and Kind” of information to 
be disclosed must have sufficient 
specificity to allow the disclosing 
program or other entity to comply with 
the request. 


a. General 
Public Comments 


Many commenters provided feedback 
on the proposed rule’s “Amount and 
Kind” requirements on a patient’s 
consent form. A few commenters 
generally supported the provision. 
However, several commenters generally 
disagreed with the proposed provision 
because it would either decrease or fail 
to improve the sharing of patient 
information; would hamper integrated 
care; would result in consent forms 
routinely becoming outdated; patients 
should not decide what information is 
disclosed; and the current (1987) rule 
language is adequate for protection of 
patient privacy. 

Some commenters said the rule 
should continue to allow a general 
description of the type of information 
being disclosed. Other commenters 
asked SAMHSA to clarify why the 
revision of the regulatory language was 


necessary and why specific information 
is preferable to simply stating that the 
consent form covers all the records 
maintained by the part 2 program. 


SAMHSA Response 


The designation of the “Amount and 
Kind” of information to be disclosed 
must explicitly describe the substance 
use disorder-related information to be 
disclosed and have sufficient specificity 
to allow the disclosing program or other 
entity to comply with the request. 
However, the entity creating the consent 
form may provide options by including 
free text space, or choices based on a 
generally accepted architecture (e.g. the 
Consolidated-Clinical Document 
Architecture (C-CDA)), or document 
(e.g. the Summary of Care Record as 
defined by CMS for the EHR Incentive 
Programs). It is permissible to include 
“all my substance use disorder 
information” as long as more granular 
options are also included. 

Nothing in the rule would prevent the 
development and use of broad 
categories of the substance use disorder- 
related information on the Amount and 
Kind section of the consent form. The 
types of information that might be 
requested include diagnostic 
information, medications and dosages, 
lab tests, allergies, substance use history 
summaries, trauma history summary, 
elements of a medical record such as 
clinical notes and discharge summary, 
employment information, living 
situation and social supports, and 
claims/encounter data. If options are 
provided, it is also permissible to 
provide check boxes next to each 
option. 


b. Impact of the Amount and Kind 
Requirement on Providers and Patients 


Public Comments 


Commenters expressed concern that 
the proposed ‘“‘Amount and Kind’’ 
provision would be unduly burdensome 
for providers, thus obstructing 
communications. Several commenters 
stated that the proposed rule would 
require both patients and providers to 
have an in-depth understanding of the 
precise terms used for substance use 
disorder information. Some commenters 
thought this would put undue burden 
on patients. Other commenters argued 
that the “Amount and Kind” 
requirement would place an additional 
burden on patients to anticipate future 
care and/or continually update their 
consent forms. Similarly, commenters 
stated that patients do not know what 
information is necessary to support their 
treatment, which could lead to 
important information being omitted. 


Commenters argued that the “Amount 
and Kind” provision would require 
requesting health providers to know the 
format, titling, and nomenclature used 
for substance use disorder information 
in the part 2 program. 

A commenter argued that many 
patients would want all of their 
substance use disorder information 
disclosed if it would improve the 
quality and coordination of their care. 
Many commenters recommended that 
patients should be able to sign a consent 
to sharing their entire record (i.e., a 
global consent), with some arguing that 
the form should include a statement that 
covers ‘‘all my records,” ‘“‘all my 
substance abuse records,” “entire 
record” and/or ‘‘full record.”’ Other 
commenters said patients should be able 
to choose via a check box “‘substance 
abuse treatment information”’ or 
authorize the entire medical record and 
list what cannot be disclosed. Several 
commenters stated that an exhaustive 
list of check boxes on the consent form 
would be confusing for many patients. 

Some commenters said patients 
should be able to designate an option for 
overall record release with an option for 
further specification of dates and 
materials to be released from the 
substance use disorder record. However, 
another commenter said selections 
should be “‘all or nothing”’ to enable 
providers to exchange information with 
HIE, ACO, CCO or a similar entity 
according to the patient’s consent 
directive with other providers. 


SAMHSA Response 


The patient will be aware that they 
have substance use disorder information 
and can make a determination whether 
they want that information disclosed. 
The 1987 final rule part 2 regulations 
require the patient to list “chow much 
and what kind of information is to be 
disclosed”’ (§ 2.31(a)(5)). SAMHSA has 
revised the provision to require that the 
consent form explicitly describe the 
substance use disorder information to be 
disclosed to ensure patients understand 
they are disclosing the specified 
substance use disorder information. The 
amount of specificity patients wish to 
include in the “Amount and Kind” 
section of the consent form is left to 
them, as long as it has sufficient 
specificity to allow the disclosing 
program or other entity to comply with 
the request. As such, this section does 
not prohibit a patient from listing ‘‘all 
my substance use disorder information”’ 
or ‘‘none of my substance use disorder 
information.’’ However, the Amount 
and Kind section of a consent form must 
accommodate more specific options. As 
stated previously, nothing in the rule 
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would prohibit the inclusion on a 
consent form of broad categories of the 
substance use disorder-related 
information that would generally appear 
in patient records to assist patients in 
identifying the information they wish to 
disclose. In developing broad categories 
of information to be included on the 
consent form, part 2 programs and other 
lawful holders of patient identifying 
information would need to take into 
consideration reading level standards 
and the concepts of plain language. The 
rule does not require further consent 
when new information is added to the 
substance use disorder record if the new 
information is covered by the ‘““Amount 
and Kind” section on the consent form. 
If the ‘‘Amount and Kind”’ section does 
include specificity that the patient 
doesn’t understand, the party obtaining 
the consent should explain it to the 
patient. SAMHSA may, after publication 
of this final rule, issue in subregulatory 
guidance information for educating staff 
and patients. We are reliant on the 
provider to be clear to patient, which 
has always been the case. 


c. Required Substance Use Disorder 
Information on Consent Forms 


Public Comments 


Some commenters said the level of 
detail required in the “Amount and 
Kind”’ section of the consent form was 
unrealistic, unnecessary, and confusing. 
A commenter argued that the level of 
detail required by the rule was at odds 
with the general designations necessary 
for information exchange. A commenter 
stated that EHR infrastructure may not 
be able to categorize and segregate 
information as described in proposed 
§ 2.31(a)(3). 

Some commenters urged SAMHSA to 
simplify or otherwise revise this section 
of the consent form. A commenter 
recommended that the list could be 
simplified by including standardized 
fields on the consent form that align 
with information commonly found on a 
Continuity of Care Document (CCD). 
Commenters recommended narrowing 
the list to several broad categories (e.g. 
employment information, living 
situation, social supports). A commenter 
stated that if more specific categories 
were needed, the patient could write in 
their own terms. Some commenters said 
the elements and extent of the consent 
should be the same under part 2 as it is 
in HIPAA. Other commenters said 
SAMHSA should use the required 
elements of a Summary of Care Record 
as defined by CMS for the EHR 
Incentive Program as a basis for the 
“kind” and “‘type”’ of information able 
to be disclosed. Another commenter 


said SAMHSA should defer to the 
expertise of health plans to determine 
what is necessary for a treating provider 
to know about substance use disorder. 


SAMHSA Response 


The types of information that might 
be requested include diagnostic 
information, medications and dosages, 
lab tests, allergies, substance use history 
summaries, trauma history summary, 
employment information, living 
situation and social supports, and 
claims/encounter data. However, the 
entity creating the consent form may 
provide options to include free text 
space, or choices based on a generally 
accepted architecture or document such 
as the C-CDA, or Summary of Care 
Record, as defined by CMS for the EHR 
Incentive Program. It is permissible to 
include “all my substance use disorder 
information” as long as more granular 
options are also included. If options are 
provided, it is also permissible to 
provide check boxes next to each 
option. The designation of the ““Amount 
and Kind” of information to be 
disclosed must have sufficient 
specificity to allow the disclosing 
program or other entity to comply with 
the request. 


d. Requests for Clarification 
Public Comments 


A couple of commenters asked 
SAMHSA to clarify whether the 
“Amount and Kind” section is to inform 
the patient or the providers. A 
commenter requested clarification on 
whether multiple patient consents 
would be necessary when the contents 
of a record changes over time. Some 
commenters requested that SAMHSA 
provide more specific examples of 
adequate descriptions of the type of 
information being disclosed. Another 
commenter recommended SAMHSA 
create a sample consent form. 


SAMHSA Response 


The “amount and kind” section 
informs both the patient and the 
providers. It allows patients the 
opportunity to specify whether all of 
their substance use disorder treatment 
information or only some may be 
disclosed and sets the limits on what a 
part 2 program or other lawful holders 
may disclose. The amount and kind 
section will generally cover classes of 
information so that changes to the 
record should not trigger the need for re- 
consents for the same classes of 
information. SAMHSA may provide 
examples or a sample consent form in 
subregulatory guidance following the 
publication of the final rule. 


4. From Whom 


SAMHSA is not finalizing the 
substantive changes that were proposed 
for the “From Whom” provision in 
§ 2.31(a)(2). In the NPRM, SAMHSA 
proposed to move the 1987 § 2.31(a)(1) 
“From Whom” language of the consent 
requirements provision to § 2.31(a)(2). 
In addition, because SAMHSA was also 
proposing, in certain instances, to 
permit a general designation in the “To 
Whom.” section of the consent form, 
SAMHSA proposed to require the 
“From Whom.” section of the consent 
form to specifically name the part 2 
program(s) or other lawful holder(s) of 
the patient identifying information 
permitted to make the disclosure. 


Public Comments 


SAMHSA received comments on the 
“From Whom” section of the consent 
form from a group of commenters 
representing a broad spectrum of 
stakeholder organizations. The 
overwhelming majority of these 
commenters were opposed to the 
proposed change and many suggested 
withdrawing the proposal in § 2.31(a)(2) 
and retaining the 1987 “From Whom”’ 
language (§ 2.31(a)(1)). 

Commenters expressed concern that 
the proposed § 2.31(a)(2) could decrease 
the sharing of health information; would 
add complexity with little or no benefit 
to patient privacy; would unnecessarily 
limit the use of a consent; and may 
accidentally cause the patient to omit a 
provider whom they want or need to see 
their data; would negatively impact 
certain HIE models. A significant 
majority of the comments regarding the 
“From Whom” section of the consent 
form voiced strong opposition to the 
proposal. A few commenters said the 
proposed change would unnecessarily 
limit the positive step SAMHSA took in 
permitting, in certain circumstance, a 
general designation in the “To Whom” 
section of the consent form. One 
commenter suggested revising the 
requirements on the basis that the 
proposed changes do not modernize the 
regulation. 


SAMHSA Response 


SAMHSA was persuaded by the 
overwhelming opposition to the 
proposed ‘‘From Whom” language and, 
with the exception of minor technical 
revisions, will retain in this final rule 
the language in the current (1987) 
regulation. SAMHSA made this decision 
for several reasons. First, the existing 
“From Whom” requirements have been 
in effect for nearly 30 years and were 
based on the Department’s prior 
determination that, even with a general 
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designation option, the provision did 
not jeopardize patient privacy. The fact 
that SAMHSA is not aware of any 
reports of the current (1987) “From 
Whom” requirement resulting in 
unintended consequences further 
supports this position. 

Second, in the NPRM, SAMHSA 
supported the elimination of the general 
designation option in the “From 
Whom” section of the consent form 
based on concerns that “‘[t]he patient 
may be unaware of possible 
permutations of combining the two 
broad designations (i.e., in the “‘To 
Whom” and “From Whom”’ sections) to 
which they are consenting, especially if 
these designations include future 
unnamed treating providers.” Based on 
the comments received, we believe this 
concern may have been overstated. 
Commenters generally did not agree that 
the “unintended consequences’”’ the 
NPRM postulated were likely to occur. 
Commenters also asserted that 
SAMHSA’s proposal shifted the burden 
from the receiver to the sender of health 
information and would be burdensome 
both to providers and patients. In 
addition, the proposed change could 
undermine new models to streamline 
consent. 

While the option of using a general 
designation in either the ‘““To Whom” or 
the “From Whom” sections (or both) 
provides the patient greater flexibility, 
and may result in two broad 
designations, it is still ultimately the 
patient’s decision whether to use these 
options or to specifically name both the 
disclosing and receiving parties on the 
consent form. We agree with the 
remarks of one commenter that the 
proposed change to the “From Whom” 
section potentially undermines, rather 
than supports, patient choice, which 
was not SAMHSA’s intent. Another 
commenter suggested that SAMHSA’s 
proposed revisions may restrict multi- 
party consents and disclosures, such as 
consents that authorize disclosures 
“between and among” the parties. These 
types of consents are an important 
option for part 2 programs and patients, 
which SAMHSA believes would be 
eliminated if it were to finalize the 
proposal articulated in the NPRM. 
Another characterized the proposed 
change as adding greater complexity to 
the consent process for patients with 
little or no benefit to patient privacy. 

Third, leaving the 1987 “From 
Whom” section essentially unchanged 
may reduce the burden on providers 
and IT vendors to accommodate this 
final regulation. HIE consortiums/ 
associations and state governments were 
particularly concerned about the impact 
of the proposed revisions on consent-to- 


access HIE models (sometimes referred 
to as a community-wide consent-to- 
access model). As several commenters 
said, the only way for the participant to 
comply with the NPRM “From Whom” 
requirement would be for the 
participant to list the name of every part 
2 program in the relevant state in the 
“From Whom” section of the consent 
form in order to inform the patient that 
there is a possibility that one of these 
programs might be the source of the 
information being accessed. Not only 
would this require the listing of 
hundreds of providers on the face of a 
consent form—effectively transforming 
the document into a provider 
directory—but it would also require the 
listing of part 2 programs that are not 
participating in the HIE, which would 
be misleading and likely draw 
objections from these programs. 

Moreover, the identities of part 2 
programs that may be sources of 
information are constantly changing as 
new programs are licensed or join the 
HIE. This would mean that every time 
a participant sought to access a patient’s 
information in an HIE, it would have to 
provide the patient with a consent form 
listing all of these new providers, and 
the participant would constantly need 
to print new forms with updated lists of 
part 2 programs in the state. This would 
even apply in the vast majority of cases 
where no part 2 information would be 
exchanged, since a participant in a 
consent-to-access model often does not 
know whether the sought-after 
information contains part 2 information 
and, therefore, needs to assume that it 
does. Requiring participants to print 
lengthy consent forms with an updated 
list of part 2 programs every time a new 
part 2 program is licensed in the 
relevant state (and developing a system 
to inform every participant about such 
updates) is simply not feasible. The 
community consent-to-access model 
was implemented specifically in order 
to meet the spirit and letter of the 1987 
part 2 regulations. In addition, federal 
and state governments have invested 
hundreds of millions of dollars to build 
statewide health information networks 
in reliance on the 1987 part 2 
regulations, which allow consent forms 
to have a general designation of “From 
Whom” the records are being disclosed. 
Theoretically, it is possible for part 2 
programs to switch to a consent-to- 
disclose model while all other 
participants continue to operate under a 
consent-to-access model. 

Fourth, the flexibility provided in the 
“To Whom” and ‘From Whom” 
sections of the consent form are 
balanced by the specificity in the 
“Amount and Kind” and ‘“‘Purpose”’ 


sections of the consent form. SAMHSA 
has revised the ‘Amount and Kind’”’ 
element on the consent form to require 
the consent form to explicitly describe 
the substance use disorder-related 
information to be disclosed so that 
patients will be aware of the substance 
use disorder information they are 
authorizing to disclose when they sign 
the consent form. In addition, under the 
current (1987) regulation, consent forms 
are required to include the purpose of 
the disclosure. Any disclosure made 
under these regulations must be limited 
to that information which is necessary 
to carry out the purpose of the 
disclosure. 


5. New Requirements 


SAMHSA is modifying this aspect of 
the proposal. SAMHSA proposed to add 
two new requirements related to the 
patient’s signing of the consent form. 
First, SAMHSA proposed a provision 
that would have required the part 2 
program or other lawful holder of 
patient identifying information to 
include a statement on the consent form 
that the patient understands the terms of 
their consent. For the reasons explained 
below, SAMHSA is not incorporating 
this requirement into § 2.31 in this final 
rule. Second, SAMHSA revised § 2.31 to 
require the part 2 program or other 
lawful holder of patient identifying 
information to include a statement on 
the consent form that the patient 
understands their right, pursuant to 
§ 2.13(d), to request and be provided a 
list of entities to which their 
information has been disclosed when 
the patient includes a general 
designation on the consent form. 
SAMHSA is including this requirement 
in the final rule (see 
§ 2.31(a)(4)Gii)(B)(3)(@). 


Public Comments 


A few commenters supported the 
additional statement clarifying that the 
patient understands the terms of 
consent and their rights. One 
commenter suggested expanding the 
statement to include language about the 
potential consequences of utilizing a 
general designation in the “To Whom” 
and ‘From Whom” fields, which would 
address concerns about the use of two 
general designations, while preserving 
the flexibility allowed in the “From 
Whom” section of the current (1987) 
regulation. 

However, other commenters opposed 
updating the consent requirements 
because doing so would require 
providers to update consent forms or 
would require a separate substance use 
disorder consent form. Several 
commenters questioned the purpose of 
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the additional signed statement. A 
commenter criticized the proposed 
language and argued that it was an 
attempt to avoid liability. 

Several commenters argued that 
patients would not have the capacity to 
understand what they are signing. 
Furthermore, another commenter stated 
that a signed statement saying that the 
patient has read the terms of the consent 
does not mean the patient actually read 
and understood the consent. A 
commenter recommended a provision to 
allow the treating physician to sign a 
consent for substance use disorder 
records for patients who may lack the 
cognitive ability to sign a waiver. 


SAMHSA Response 


SAMHSA agrees with the commenters 
that the requirement that the part 2 
program or other lawful holder of 
patient identifying information must 
include a statement on the consent form 
that the patient understands the terms of 
their consent is unnecessary. As 
commenters stated, a signature on a 
confirmation statement does not assure 
that the patient has, in fact, read or 
understood it. It is also the case, as 
commenters stated, that some patients 
may not have the capacity, at the time 
they are admitted, to provide an 
informed consent. Therefore, SAMHSA 
has eliminated this requirement. 


K. Prohibition on Re-Disclosure (§ 2.32) 


SAMHSA is adopting this section as 
proposed except for a clarifying revision 
to § 2.32(a). As discussed in the NPRM 
preamble, the prohibition on re- 
disclosure provision only applies to 
information that would identify, 
directly or indirectly, an individual as 
having been diagnosed, treated, or 
referred for treatment for a substance 
use disorder and allows other health- 
related information shared by the part 2 
program to be re-disclosed, if 
permissible under the applicable law. 
SAMHSA also clarified in the NPRM 
preamble that, if data provenance (the 
historical record of the data and its 
origins) reveals information that would 
identify, directly or indirectly, an 
individual as having or having had a 
substance use disorder, the information 
is prohibited from being re-disclosed. In 
addition, SAMHSA revised § 2.32 to 
clarify that the federal rules restrict any 
use of the information to criminally 
investigate or prosecute any patient 
with a substance use disorder, except as 
provided in §§ 2.12(c)(5) and 2.65. 


1. General 
Public Comments 


Several commenters generally 
supported the prohibition on re- 


disclosure, with some stating that the 
prohibition ensured the confidentiality 
of the patient’s information and would 
facilitate broader sharing of information 
among providers and programs in 
support of integrated care, thus 
increasing quality of care. A commenter 
supported the delineation between 
substance use disorder data and other 
health-related data, particularly the 
flexibility to share portions of a patient’s 
record that do not fall under part 2 
requirements. Another commenter 
supported application of the prohibition 
on re-disclosure to individuals or 
entities that receive confidential 
identifying information from lawful 
holders. 

However, many commenters generally 
disagreed with the prohibition on re- 
disclosure. Commenters argued that the 
prohibition created unnecessary barriers 
and challenges for health care providers 
and would jeopardize patient treatment 
and care coordination (e.g., due to over- 
restriction of medical records). One 
commenter argued that the prohibition 
would prevent the inclusion of 
substance use disorder treatment 
information within HIE, ACOs, CCOs, 
and research institutions. Another 
commenter stated the prohibition would 
prevent substance use disorder 
treatment clinics from being 
incorporated into integrated care 
networks. A commenter said the 
prohibition on re-disclosure would 
prohibit providers or payers from 
correcting or supplementing knowledge 
of another provider based on fear of 
violating the law. Lastly, a commenter 
said the proposed rules prohibition on 
re-disclosure was not different from the 
current (1987) regulation and therefore 
no clarification was necessary. 


SAMHSA Response 


SAMHSA is adopting § 2.32 as 
proposed except for a minor 
clarification in § 2.32(a). As discussed 
elsewhere in this final rule, SAMHSA is 
attempting to balance the facilitation of 
information exchange within new 
health care models that promote 
integrated care with the continued need 
for confidentiality protections that 
encourage patients to seek treatment 
without fear of compromising their 
privacy. SAMHSA acknowledges the 
legitimate concerns of commenters 
regarding how care coordination relates 
to patient safety. However, SAMHSA 
must consider the intent of the 
governing statute (42 U.S.C. 290dd-2), 
which is to protect the confidentiality of 
substance use disorder patient records. 
SAMHSA believes that the prohibition 
on the re-disclosure of information that 
would identify, directly or indirectly, an 


individual as having been diagnosed, 
treated, or referred for treatment for a 
substance use disorder comports with 
its statutory mandate. SAMHSA notes 
that the revisions to § 2.32 clarify that 
the prohibition on re-disclosure only 
applies to information that would 
identify an individual as having been 
diagnosed, treated, or referred for 
treatment for a substance use disorder, 
but does not apply to health information 
unrelated to the substance use disorder, 
such as treatment for an unrelated 
health condition. These revisions 
should minimize decisions by part 2 
programs to protect an entire patient 
record. 


Public Comments 


Several commenters argued that the 
original statute for the substance use 
disorder regulations did not prohibit re- 
disclosure. Another commenter argued 
that HIPAA did not exist when the 
original regulations regarding substance 
use disorder data were promulgated and 
that the re-disclosure prohibition was 
not needed in today’s legal 
environment. Another commenter stated 
that the re-disclosure prohibition is at 
odds with the goals of The Mental 
Health Parity and Addiction Equity Act 
and the Affordable Care Act. 


SAMHSA Response 


While the statute may not be explicit 
with regard to certain provisions in 42 
CFR part 2, the statute directs the 
Secretary to prescribe regulations to 
carry out the purpose of the statute, 
which may include definitions and may 
provide for such safeguards and 
procedures that in the judgment of the 
Secretary are necessary or proper to 
effectuate the purposes of this section, 
to prevent circumvention or evasion 
thereof, or to facilitate compliance 
therewith. 

Because 42 CFR part 2 and its 
governing statute are separate and 
distinct from HIPAA and due to its 
targeted population, part 2 provides 
more stringent federal protections than 
most other health privacy laws, 
including HIPAA. However, SAMHSA 
aligned policy with HIPAA where 
possible. 

SAMHSA strives to facilitate 
information exchange within new 
health care models while addressing the 
legitimate privacy concerns of patients 
seeking treatment for a substance use 
disorder. These concerns include: The 
potential for loss of employment, loss of 
housing, loss of child custody, 
discrimination by medical professionals 
and insurers, arrest, prosecution, and 
incarceration. 
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2. Impact of Re-Disclosure Prohibition 
on Patient Privacy and Patient Choice 


Public Comments 


Several commenters expressed 
concerns that the prohibition on re- 
disclosure did not improve patient 
privacy protections. A commenter stated 
that the proposed changes allowed more 
disclosures without patient notice, 
undermining the goal of protecting a 
patient’s privacy. A commenter argued 
that any information given by a 
substance use disorder treatment 
program, including a refusal to provide 
information, could identify an 
individual as having a substance use 
disorder (whether or not the patient 
actually does) or having received 
treatment for a substance use disorder. 
Another commenter argued against 
expanding the scope of part 2 to non- 
substance use disorder conditions 
which may unfairly suggest the 
presence of a substance use disorder. 

Several commenters expressed 
concern that the prohibition on re- 
disclosure interfered with a patient’s 
choice on whether to disclose their 
medical record. Commenters argued that 
the prohibition on re-disclosure 
imposed an unnecessary burden on 
substance use disorder patients who 
wish to have the same level of quality 
coordinated care as other patients. 
Several commenters expressed concern 
that the prohibition on re-disclosure 
required patients to anticipate future 
care. Several commenters argued that a 
patient should be allowed to consent to 
or otherwise control the re-disclosure of 
their information. 


SAMHSA Response 


Patients may permit re-disclosures of 
their information via written consent. 
Part 2-compliant consent forms can 
authorize an exchange of information 
between multiple parties named in the 
consent form. The key is to make sure 
the consent form authorizes each party 
to disclose to the other ones the 
information specified and for the 
purpose specified, in the consent. In 
addition, the revised consent 
requirements allow patients, under 
certain circumstances, to authorize 
disclosure of their information via a 
general designation (e.g., to ‘‘all my 
current and future treating providers’’) 
rather than to specifically name each 
recipient. 

As SAMHSA has stated in this 
regulation, the ““To Whom” section of 
the consent form can authorize a 
disclosure of patient identifying 
information to an entity that does not 
have a treating provider relationship 
with the patient whose information is 


being disclosed and acts as an 
intermediary for its participants, such as 
an HIO, and a general designation of 
individual and entities with a treating 
provider relationship with the patient 
whose information is being disclosed 
that are participants. The required 
statement prohibiting re-disclosure 
should accompany the information 
disclosed through consent along with a 
copy of the part 2-compliant consent 
form (or the pertinent information on 
the consent form necessary for the 
intermediary to comply with the signed 
consent), so that each subsequent 
recipient of that information is notified 
of the prohibition on re-disclosure. 


3. Disclosure of Information that May 
Indicate a Substance Use Disorder 


Public Comments 


Several commenters argued that 
determining which conditions and 
medications would ‘identify a patient 
as having or having had a substance 
abuse order” would be a burden on 
providers. Commenters said most staff 
within an HIE do not have the 
qualifications (e.g., clinical knowledge 
regarding medical conditions and 
medications) to distinguish which 
information could indicate an 
individual’s substance use disorder and 
would thus need to be trained 
accordingly. Commenters stressed that 
the difficulty in determining what 
patient information would indicate a 
patient had a substance use disorder 
would discourage providers and health 
plans from exchanging information, 
further inhibiting coordinated care and 
enforcing differential treatment of 
individuals with substance use 
disorders. 

Several commenters expressed 
concern that the language of the 
proposed rule was too broad. A 
commenter said the provision was 
problematic because many medications 
are frequently related to substance use 
disorder or other physical or mental 
conditions, so there is a risk of 
indicating a patient had a substance use 
disorder whether or not the patient 
actually did have a substance use 
disorder. Similarly, commenters argued 
that preventing disclosure of 
information that suggests a substance 
use disorder is too broad and would 
overly restrict the information available 
to health care providers, thus 
endangering patient safety. A 
commenter recommended that 
SAMHSA interpret ‘identifies a patient 
as having or having had a substance use 
disorder’ to mean only information that 
actually identifies a patient as having a 
substance use disorder, rather than 


including information that merely 
suggests that a person might have an 
substance use disorder. A commenter 
recommended that the provision be 
interpreted as written in the rule 
language, not as expansively considered 
in the NPRM preamble. 

One commenter argued that a 
prescription for a certain drug is not 
enough to identify a person as having a 
substance use disorder, let alone 
indicate the person is receiving care 
from a substance use disorder program. 
The commenter stated that this 
ambiguity is sufficient to be able to say 
that the information does not “identify” 
the person as having a substance use 
disorder or, moreover, that they are 
being treated in a program. 

A commenter stated that, when the 
data sharing of the records are redacted 
to remove all evidence of substance use 
disorder they become worthless in terms 
of ensuring improved client care. 
Further, this commenter said that there 
is no way to ensure such redaction 
would be done effectively and that there 
is a high risk of inadvertent disclosure, 
which cannot be made private again. 


SAMHSA Response 


Comments received by SAMHSA 
suggest that the discussion in the NPRM 
of re-disclosure regarding medications 
and examples provided were not clear. 
Both the proposed rule and this final 
rule prohibit re-disclosure of part 2 
information that would identify, 
directly or indirectly, an individual as 
having been diagnosed, treated, or 
referred for treatment for a substance 
use disorder, such as indicated through 
standard medical codes, descriptive 
language, or both, unless further 
disclosure is expressly permitted by the 
written consent of the individual whose 
information is being disclosed or is 
otherwise permitted by the part 2 statute 
or regulations. Such information could, 
in some circumstances, include part 2 
information concerning a patient’s 
prescription for a medication typically 
used for medication-assisted treatment 
or a disease or condition frequently 
associated with substance use disorders. 
While certain medical information in 
and of itself may not identify a patient 
as having a substance use disorder and 
approved medications may be used for 
various purposes, the context of this 
preamble and § 2.32 concerns the re- 
disclosure of information that is directly 
related to the patient’s undergoing 
treatment for substance use disorders. 
Therefore, it is considerably more likely 
that the re-disclosure of such 
information would result in identifying 
the patient as receiving treatment for a 
substance use disorder. By contrast, a 
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patient who is not receiving such 
treatment (and, therefore, whose health 
information is not covered by this rule) 
would not face such risks even if their 
medication or condition is frequently 
associated with substance use disorders. 
It is also important to note that in some 
cases, patients may expressly consent to 
further re-disclosure and that such re- 
disclosure may in some cases be 
allowed under other provisions of this 
rule. SAMHSA understands that this is 
an important topic and may provide 
additional subregulatory guidance on 
this issue after the publication of this 
final rule. 


4. Technical Challenges in Preventing 
Unauthorized Re-Disclosure 


Public Comments 


Commenters expressed concern that, 
due to how information is exchanged 
electronically, it may be technically 
difficult for the medical industry to 
prevent re-disclosure. Commenters 
argued that providers do not have the 
technical ability to segregate substance 
use disorder content and redact that 
information from being sent to new 
providers who use or review the record. 
More specifically, a commenter argued 
that EHR currently have the ability to 
contribute patient data to an HIE or a 
Regional Health Information 
Organization (RHIO) at the patient level, 
not at the services rendered level. A 
commenter stated that this capability 
was five to ten years away. A 
commenter argued that if the outputs of 
the DS4P’s pilots were refined and 
required under the federal health IT 
certification program, there would have 
been solution for the re-disclosure of 
substance use disorder information. 


Several commenters expressed 
concern about the lack of technical 
standards. A commenter recommended 
that SAMHSA adopt clear technical 
methods and standards for recipients of 
disclosures, by which part 2 providers 
and programs would be able to identify 
which records are not part 2 sensitive 
and can be incorporated directly into 
recipient’s EHR. Similarly, a commenter 
stated there needed to be standards for 
all EHR Vendors and HIEs to address 
the re-disclosure prohibition. 


Some commenters expressed concern 
about the burden of upgrading their 
record system to comply with the 
prohibition on re-disclosure. 
Commenters stated that the re- 
disclosure prohibition would require 
upgrades and modifications to EHR and 
HIEs. A commenter stated that 
SAMHSA should provide funding to 
upgrade HIE systems or HIEs would be 


likely to refuse to accept substance use 
disorder data. 

Many commenters said the 
prohibition on re-disclosure and the 
technical limitations many providers 
faced in preventing re-disclosure would 
have adverse impacts on sharing of 
information and patient care. A 
commenter stated that, due to the 
technical limitations, some providers 
would continue to prohibit re-disclosure 
of the patient’s entire medical record. 
Other commenters argued that the 
technical limitations would result in 
substance use disorder information 
being kept out of the electronic health 
care environment, leaving gaps that 
could contribute to poor patient 
outcomes. A commenter stated that part 
2 programs would be unable to 
participate in integrated care delivery 
models because their system was not 
equipped to segregate substance use 
disorder data. 

A commenter stated that SAMHSA 
should encourage the expansion of 
meaningful use to allow behavioral 
health care providers to adopt data 
segmentation technology. A commenter 
stated that, in light of the EHR 
requirements under meaningful use, 
SAMHSA should consider ways to 
reduce the burden on entities using EHR 
with respect to disclosure statements 
under § 2.32. Another commenter 
argued that SAMHSA should simply 
issue consent recommendations and 
incorporate more complex structures, 
such as data segmentation, in a broader 
mandate or on other requirements in 
order to allow sufficient time for 
implementation. 


SAMHSA Response 


SAMHSA actively supports the 
continued development of data 
standards to support the integration of 
substance use disorder treatment in 
emerging health care models. The Data 
Segmentation for Privacy (DS4P) 
initiative within ONC’s Standards and 
Interoperability (S&I) Framework 
facilitated the development of standards 
to improve the interoperability of EHRs 
containing sensitive information that 
must be protected to a greater degree 
than other health information due to 42 
CFR part 2 and similar state laws. The 
DS4P standard allows a provider to tag 
a C-CDA document with privacy 
metadata that expresses the data 
classification and possible re-disclosure 
restrictions placed on the data by 
applicable law. This aids in the 
electronic exchange of sensitive health 
information. In October 2015, ONC 
adopted the DS4P standard as part of 
the 2015 Edition health IT certification 
criteria. The DS4P certification criteria 


require health IT to demonstrate the 
ability to send and received summary 
care records that are document-level 
tagged. SAMHSA will continue to work 
with ONC to further refine the DS4P 
standard so that it can be applied to 
segment data at the data element level 
in the manner described in ONC’s 
“Connecting Health and Care for the 
Nation: A Shared Nationwide 
Interoperability Roadmap—Version 1.0 
Final (Roadmap),” 2 and to accelerate 
the adopting of the DS4P send and 
receive standards. 


Regarding re-disclosure, the primary 
advantage of continuing the prohibition 
on re-disclosure by recipients of a 
disclosure with patient consent is that it 
assures a greater measure of 
confidentiality for patient identifying 
information. SAMHSA strives to 
facilitate information exchange within 
new health care models while 
addressing the legitimate privacy 
concerns of patients seeking treatment 
for a substance use disorder. These 
concerns include: The potential for loss 
of employment, loss of housing, loss of 
child custody, discrimination by 
medical professionals and insurers, 
arrest, prosecution, and incarceration. 


The prohibition on re-disclosure 
predates this rulemaking and providers 
were already required to comply with 
the existing provision. SAMHSA 
proposed only minor changes to the 
provision for clarity, which should not 
necessitate system upgrades. Therefore, 
SAMHSA declines to respond to 
comments regarding the burdens of 
system upgrades to comply with the 
prohibition on re-disclosure. 


Finally, SAMHSA works closely with 
its federal colleagues to improve the 
integration of substance use disorder 
treatment providers and their data. 
Although the part 2 authorizing statute 
does not give SAMHSA authority to 
mandate data segmentation, as noted 
above, DS4P was included in the ONC 
2015 Edition Health IT Certification 
Criteria (2015 Edition). SAMHSA has 
also supported the development of the 
application branded Consent2Share, an 
open-source health IT solution based on 
DS4P which assists in consent 
management and data segmentation and 
will continue to work to improve the 
granularity of how the DS4P standard 
operates. 


2 https://www.healthit.gov/sites/default/files/hie- 
interoperability/nationwide-interoperability- 
roadmap-final-version-1.0.pdf. 
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5. Requests for Clarification of the Re- 
Disclosure Prohibition 


Public Comments 


Commenters requested clarification 
on various aspects of the re-disclosure 
prohibition. Some commenters asked for 
clarification on what records were 
subject to the re-disclosure prohibition 
(e.g., the actual record, or the part 2- 
compliant record that is now 
incorporated into the physician’s notes 
at the receiving institution). The 
commenters requested examples of how 
data may, or may not, be disclosed after 
lawful receipt of part 2 data. 

A commenter suggested that 
SAMHSA confirm that only records that 
originated at a part 2 program are 
subject to the prohibition on re- 
disclosure. 


SAMHSA Response 


Once patient identifying information 
has been initially disclosed (with or 
without patient consent), no re- 
disclosure is permitted without the 
patient’s express consent to re-disclose 
or unless otherwise permitted by the 
part 2 statute or regulations. Only 
disclosure of patient identifying 
information made with the patient’s 
written consent must be accompanied 
by a written notice regarding the part 2 
prohibition on re-disclosure. Although 
there is no requirement to provide such 
written notice to individuals and 
entities who receive information 
through other means under the part 2 
program, all lawful holders must 
comply with the part 2 program 
requirements, including, but not limited 
to the limitations on re-disclosure. 

Regarding requested confirmation that 
only records originated at a part 2 
program are subject to the prohibition 
on re-disclosure, SAMHSA clarifies that 
individuals and entities that are not 
covered by part 2 that possess substance 
use disorder data that did not originate 
in a part 2-covered provider are not 
subject to the part 2 program 
requirements. However, if those 
individuals and entities received that 
information that is subject to part 2 via 
patient consent (with or without the 
notice of prohibition on re-disclosure) 
or through any other means under the 
part 2 program (i.e., through means that 
made them a lawful holder), they would 
be required to comply with part 2. 


Public Comments 


Several commenters asked for 
clarification with regard to disclosing 
prescription medications. A few 
commenters asked whether prescription 
medications could be disclosed without 
consent if the prescriber states that the 


prescription is not for substance use 
disorder treatment. Another commenter 
asked what the requirements were for 
medications that are used “‘off label’ to 
treat substance use disorder and 
medications that treat withdrawal. A 
commenter asked for clarification on 
whether providers in part 2 programs, 
who do not reveal their part 2 program 
affiliation, would be prohibited from 
disclosing information about substance 
use disorder prescriptions that are also 
prescribed for non-substance use 
disorder purposes, unless the patient 
has consented to the disclosure. 


SAMHSA Response 


SAMHSA agrees that part 2 would 
permit the disclosure of information 
without patient consent relative to a 
medication that is used for both 
substance use disorder and non- 
substance use disorder purposes, even 
when it is being prescribed for the 
purpose of substance use disorder 
treatment. In disclosing the information, 
both the provider and the data 
provenance must not identify the 
provider as being affiliated with a part 
2 program or prescribing the substance 
use disorder medication for substance 
use disorder treatment. 


Public Comments 


Regarding the prohibition on re- 
disclosure, a commenter requested that 
SAMHSA provide clarification on what 
impact a court order has on sharing 
information otherwise deemed 
confidential under the part 2 
regulations. 


SAMHSA Response 


SAMHSA has previously stated in 
FAQ guidance concerning re-disclosures 
that when information is disclosed 
pursuant to an authorizing court order, 
part 2 requires that steps be taken to 
protect patient confidentiality. In a civil 
case, part 2 requires that the court order 
authorizing a disclosure include 
measures necessary to limit disclosure 
for the patient’s protection, which could 
include sealing from public scrutiny the 
record of any proceeding for which 
disclosure of a patient’s record has been 
ordered [42 CFR 2.64(e)(3)]. Ina 
criminal case, such order must limit 
disclosure to those law enforcement and 
prosecutorial officials who are 
responsible for or are conducting the 
investigation or prosecution, and must 
limit their use of the record to cases 
involving extremely serious crimes or 
suspected crimes [42 CRF § 2.65(e)(2)]. 


Public Comments 


A commenter asked how a mixed-use 
mental health and substance use 


treatment facility should handle re- 
disclosure and how SBIRT would be 
addressed under this section. 


SAMHSA Response 


Only the substance use disorder 
information is covered by part 2. The 
mental health information is not. The 
prohibition on re-disclosure only 
applies to information that would 
identify, directly or indirectly, an 
individual as having been diagnosed, 
treated, or referred for treatment for a 
substance use disorder, such as 
indicated through standard medical 
codes, descriptive language, or both, 
and allows other health-related 
information shared by the part 2 
program to be re-disclosed, if 
permissible under other applicable 
laws. 


6. Recommendations To Improve the 
Prohibition on Re-Disclosure 


Public Comments 


Several commenters recommended 
exclusions to the prohibition on re- 
disclosure of substance use disorder 
patient data. A commenter said patients 
should be able to consent to the 
disclosure of substance use disorder 
information to a covered entity and such 
information would be protected by 
HIPAA, but would be free from the re- 
disclosure prohibition. Some 
commenters said SAMHSA should 
permit re-disclosure of substance use 
disorder treatment information for the 
purpose of treatment and/or care 
coordination. Another commenter 
suggested an exemption for providers 
within a given PDMP, CCO, ACO or 
HIE, for the purposes of treatment, 
payment, or health care operations. A 
commenter said SAMHSA should allow 
re-disclosures without patient consent 
for public health purposes to prevent 
disease or control injury or disability. 
Lastly, a commenter said SAMHSA 
should add a category under subpart D 
“Disclosures without Patient Consent” 
to include state health data 
organizations that collect data under a 
legislative authority. 


SAMHSA Response 


Due to its targeted population, part 2 
provides more stringent federal 
protections than most other health 
privacy laws, including HIPAA. In light 
of the statute, SAMHSA declines to 
create the specific suggested exclusions 
from the use and disclosure restrictions. 
SAMHSA will specifically address 
disclosures to subcontractors and 
contractors for health care purposes in 
the SNRPM. 
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Public Comments 


Commenters requested that SAMHSA 
provide guidance in several areas, 
including the type of permissible 
information that can be disclosed; 
applicability to co-occurring disorders; 
and applicability to multi-use 
organizations. A commenter said 
SAMHSA should publish the medical 
codes (e.g., ICD—10s) that are affected by 
this provision. 


SAMHSA Response 


As for the type of permissible 
information that can be disclosed, the 
proposed clarifications to § 2.32 clarify 
that the prohibition on re-disclosure 
only applies to information that would 
identify, directly or indirectly, an 
individual as having been diagnosed, 
treated, or referred for treatment for a 
substance use disorder, such as 
indicated through standard medical 
codes, descriptive language, or both, 
and allows other health-related 
information shared by the part 2 
program to be re-disclosed, if 
permissible under other applicable 
laws. 

Regarding the re-disclosure of 
information related to co-occurring 
disorders, only the substance use 
disorder information is covered by part 
2. The mental health information in a 
patient record is not. However, part 2 
programs must ensure adequate 
confidentiality protections for mental 
health patient data that are applicable 
based on any relevant federal or state 
law. 


Public Comments 


Commenters proposed many other 
recommendations to improve the re- 
disclosure provision. One commenter 
said the rule should specify the 
consequences part 2 providers will face 
if they violate the proposed rule’s 
prohibition on re-disclosure. A 
commenter said non-part 2 programs 
that prescribe substance use disorder 
medication should not be forbidden 
from disclosing such prescriptions, nor 
required to state the purpose of the 
medication. A commenter said the rule 
should continue to prohibit information 
being shared with law enforcement for 
criminal prosecution. A commenter said 
SAMHSA should include an updated 
sample Notice of Prohibition of Re- 
disclosure in the final rule. One 
commenter said patients should have 
the ability to remove their substance use 
disorder history from their medical 
record after ten years. A commenter said 
SAMHSA should rescind the proposed 
prohibition on re-disclosure relative to 
general designations and advocate for 


the medical community to do more 
within their industry to recognize and 
provide appropriate, comprehensive 
care for those living with substance use 
disorders. 


SAMHSA Response 


Regarding the consequences for 
violation of the re-disclosure 
prohibition, each disclosure made with 
the patient’s written consent must be 
accompanied by the notice of 
prohibition on re-disclosure. Under 42 
U.S.C. 290dd-2 (f), any person who 
violates any provision of this section or 
any regulation issued pursuant to this 
section shall be fined in accordance 
with Title 18. 

Regarding the comment on non-part 2 
prescribers, prescribers that are not 
covered by part 2 are not prohibited 
from disclosing such prescriptions nor 
required to specify the purpose of such 
prescriptions. 

On prohibition of information being 
shared with law enforcement for 
criminal prosecution, this prohibition 
remains in effect. Specifically, 
SAMHSA has clarified § 2.32(a) to state 
“(t]he federal rules restrict any use of 
the information to criminally investigate 
or prosecute any patient with a 
substance use disorder, except as 
provided at §§ 2.12(c)(5) and 2.65.” 


Public Comments 


A commenter stated that individuals 
or entities who are not part 2 programs 
may not be familiar with the specific 
consent requirements of part 2, so the 
next-to-last sentence of § 2.32 should 
include a citation to § 2.31. 


SAMHSA Response 


SAMHSA appreciates the suggestion 
and has revised § 2.32 to add a reference 
to the § 2.31 to the penultimate sentence 
in paragraph (a). 


L. Disclosures to Prevent Multiple 
Enrollments (§ 2.34) 


SAMHSA is adopting this section as 
proposed. SAMHSA has modernized 
§ 2.34 by updating terminology and 
revising corresponding definitions. 
SAMHSA also consolidated definitions 
by moving definitions from this section 
to the part 2 definitions provision 
(§ 2.11), as discussed in Section III.D. 


Public Comments 


A few commenters supported 
disclosures to prevent multiple 
enrollments. Some urged the proposed 
regulations to go further and specifically 
allow registries in the form of HIEs or 
PDMPs to share controlled substance 
prescriptions in the same manner that it 
would allow withdrawal management or 


maintenance treatment programs. The 
aim would be to prevent multiple 
prescribing of prescription drugs that 
can be abused. Other commenters 
argued that the registry should be 
available to check enrollment beyond 
200 miles. Asserting that the 
requirement to list every site that may 
be contacted in the consent document is 
an unusual burden, one of these 
commenters suggested that the concern 
can be better addressed by indicating 
“any licensed treatment center within 
the state when a patient presents for 
treatment.”” One commenter requested 
clarification as to what type of “central 
registry’ is being considered for 
disclosure of patient records. Another 
suggested language that allows for 
multiple payments to providers in 
situations where clients are enrolled in 
multiple programs and where programs 
may be obtaining multiple payments for 
multiple services. 


SAMHSA Response: 


Central registries, defined as ‘‘an 
organization that obtains from two or 
more member programs patient 
identifying information about 
individuals applying for withdrawal 
management or maintenance treatment 
for the purpose of avoiding an 
individual’s concurrent enrollment in 
more than one treatment program,” 
serve a different purpose than HIEs or 
PDMPs. According to the Centers for 
Disease Control and Prevention, PDMPs 
are state-run electronic databases used 
to track the prescribing and dispensing 
of controlled prescription drugs to 
patients. They are designed, in part, to 
monitor this information for suspected 
abuse or diversion (i.e., channeling 
drugs into illegal use), and can give a 
prescriber or pharmacist critical 
information regarding a patient’s 
controlled substance prescription 
history. Although PDMPs may serve 
many valuable purposes, SAMHSA 
decided not to address issues pertaining 
to e-prescribing and PDMPs in the final 
rule because, as stated in the NPRM, 
they were not ripe for rulemaking at the 
time due to the state of technology and 
because the majority of part 2 programs 
are not prescribing controlled 
substances electronically. 

Under § 2.34(a)(3)(ii), the consent may 
authorize a disclosure to any 
withdrawal management or 
maintenance treatment program 
established within 200 miles of the 
program after the consent is given 
without naming any such program. 
Regarding comments on the 200-mile 
limit, SAMHSA declines to make any 
changes to the 200-mile limit because it 
is unlikely that a patient would be 
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enrolled in multiple programs greater 
than 200 miles from each other. The 
regulations do not confine the 200-mile 
limit to within a state. 

As for the request to allow a consent 
for disclosure to ‘‘any licensed 
treatment center within the state where 
a patient presents for treatment,”’ 
SAMHSA has concluded that the 
proposed specificity is needed. Section 
2.34 requires that the consent must list 
the name and address of each central 
registry and each known withdrawal 
management or maintenance treatment 
program to which a disclosure will be 
made. This specificity was retained 
because the purpose of the section is to 
prevent multiple enrollments that 
would result in a patient receiving 
substance use disorder treatment 
medication from more than one 
provider, thereby increasing the 
likelihood for an adverse event or 
diversion. 

Regarding the request to allow for 
multiple payments to providers in 
situations where clients are enrolled in 
multiple programs and where programs 
may be obtaining multiple payments for 
multiple services, SAMHSA has 
determined that this request it outside 
of the scope of the proposed part 2 
changes in the NPRM. 


M. Medical Emergencies (§ 2.51) 


SAMHSA is adopting this section as 
proposed. SAMHSA has revised the 
medical emergency exception to give 
providers more discretion to determine 
when a “‘bona fide medical emergency”’ 
(42 U.S.C. 290dd—2(b)(2)(A)) exists. The 
revised language states that patient 
identifying information may be 
disclosed to medical personnel to the 
extent necessary to meet a bona fide 
medical emergency in which the 
patient’s prior informed consent cannot 
be obtained. SAMHSA continues to 
require the part 2 program to 
immediately document, in writing, 
specific information related to the 
medical emergency. 


1. General 
Public Comments 


Many commenters expressed support 
for the proposed change in language of 
the medical emergency exception to 
provide medical personnel with 
increased discretion to determine a 
“bona fide medical emergency.” Some 
commenters expressly supported 
aligning the regulatory language with 
the statutory language for medical 
emergencies. A commenter supported 
the special rule that would allow the 
disclosure of patient identifying 
information to medical personnel at the 


FDA who provide reason to believe that 
the health of any individual may be 
threatened by a product under the 
FDA’s jurisdiction and that the 
information used solely for notifying the 
patient or their physicians of the 
potential dangers. 

However, several commenters warned 
that part 2 programs should not be 
expected to assume the unrealistic 
burden of liability for a HIE’s capability 
to comply with all part 2 requirements. 
Another commenter argued the current 
medical emergency exception is clear 
under current (1987) law and providers 
are already making the determination as 
to what constitutes an emergency. 


SAMHSA Response 


SAMHSA appreciates the support of 
commenters on this issue. With regard 
to the comment about the burden of 
liability, SAMHSA asserts that the 
treating provider must make the 
determination as to whether a bona fide 
medical emergency exists. However, 
concern alone about potential drug 
interaction may not be sufficient to meet 
the standard of a medical emergency. 
Thus, based on the circumstances of the 
presenting situation, SAMHSA 
recommends that health care providers 
obtain consent from the patient where 
feasible. 


2. Definition of ‘‘Bona Fide Medical 
Emergency” 


Public Comments 


Commenters provided various 
suggestions for expanding the definition 
to include disclosure of records for 
mental health involuntary commitment 
evaluations and other psychiatric 
emergencies; to detoxification centers; 
when there is ‘“‘risk of serious harm”’ to 
self or others by reason of an substance 
use disorder; in order to save a life or 
prevent further injury of a person who 
is not able to make a rational decision 
due to mental impairment; and to 
prevent suicide. Several commenters 
asserted the revisions should include an 
exception for disclosure without 
consent in order to prevent medical 
emergencies from occurring in the first 
place. Other commenters suggested not 
limiting this section to only medical 
emergencies, but allowing disclosures 
for treatment, payment, and operation 
purposes. A few commenters supported 
adding a duty to warn exception where 
a substance use disorder patient 
discloses intent, plan, or means to 
inflict harm onto another individual or 
the public. 


SAMHSA Response 


On the request to expand the 
definition, while the statute authorizes 


an exception for a bona fide medical 
emergency, broadening this provision to 
include non-emergency situations 
would be inconsistent with the statutory 
scheme. With respect to warnings, part 
2 does not impose a duty to warn—or 

a duty to disclose any information. It 
only governs when disclosures may be 
made, not when they must be made. 
SAMHSA has previously provided FAQ 
guidance on when a part 2 program may 
make a disclosure without divulging 
patient identifying information. 
SAMHSA will monitor this issue and 
may consider whether additional 
subregulatory guidance in the future 
may be helpful. 

Regarding involuntary commitment, 
patient identifying information may be 
disclosed to medical personnel to the 
extent necessary to meet a bona fide 
medical emergency in which the 
patient’s prior informed consent cannot 
be obtained. This may include 
situations in which the patient is not 
regarded as being legally competent 
under the laws of their jurisdiction. 
Such circumstances may apply when a 
patient is subject to an involuntary 
commitment (i.e., formally committed 
for behavioral health treatment by a 
court, board, commission, or other 
lawful authority). Consistent with 
§ 2.51, during the period of time a 
patient is not regarded as being legally 
competent, any previously established, 
unrevoked, or unmodified general 
designation remains valid for their 
current treating providers until such 
time as the individual’s competency is 
restored. The treating provider(s) would, 
in such circumstances, be expected to 
follow provisions of this rule pursuant 
to medical emergencies, including all 
documentation requirements. 
Importantly, at any time when a patient 
is legally competent, they may modify 
their general designation consistent 
with the provisions of this final rule. 


Public Comments 


Other commenters suggested 
restrictions on the definition of “bona 
fide medical emergency” or other 
limitations to the medical emergency 
exception. Several recommended that 
the final rule explicitly state that the 
medical emergency exception continues 
to be limited to circumstances in which 
an individual needs immediate medical 
care and the patient’s consent cannot be 
obtained. The medical emergency 
exception does not apply to situations 
where the patient could but will not 
consent, since the exception should not 
be used to avoid obtaining consent. A 
commenter urged that a “‘bona fide 
medical emergency”’ be limited to 
circumstances in which an individual 
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needs immediate medical care because 
of an immediate (not future) threat to a 
person’s health. 

A commenter asserted that it be 
specified that a “‘medical emergency’”’ is 
determined by the treating provider. 

A commenter asserted that the 
information disclosed in a ‘“‘bona fide 
medical emergency’’ should be more 
clearly limited and the rule should 
require the provider to affirmatively 
share the required documentation of the 
disclosure with the patient. 

A commenter stated that part 2 
information disclosed in a medical 
emergency should not be re-disclosed 
for criminal investigation or 
prosecution. 

A few commenters advocated for 
emergency care providers to be 
permitted to access only limited part 2 
information available through a HIE. 


SAMHSA Response 


On situations in which the patient 
could but will not consent, SAMHSA 
has not revised the regulatory language, 
but agrees that “patient consent could 
not be obtained” refers to the fact that 
the patient was incapable of providing 
consent, not that the patient refused 
consent. 

With regard to the request that a 
“medical emergency” be determined by 
the treating provider, SAMHSA clarifies 
that any health care provider who is 
treating the patient for a medical 
emergency can make that determination. 

On limiting the information disclosed, 
§ 2.13(a) of the rule indicates that the 
amount of information to be disclosed 
“must be limited to that information 
which is necessary to carry out the 
purpose of the disclosure.”’ 

With regard to the comment on re- 
disclosure, SAMHSA will address re- 
disclosure of part 2 information 
obtained during a medical emergency in 
subregulatory guidance rather than in 
the rule, as it has in the past. 


Public Comments 


Several commenters asserted that 
automated or pre-determinations for 
medical emergencies should be allowed. 
A commenter suggested that pre- 
defining the criteria for medical 
emergency would enable HIEs to 
automate the decisions about whether a 
patient visit is a medical emergency. 
The commenter said such criteria could 
be defined by each individual hospital 
or could be based on national standards. 
Another commenter argued that Level of 
Care Utilization System (LOCUS) scores 
and the ASAM levels could be used as 
clinical standards for determining “‘bona 
fide emergency”’ situations where 


behavioral health information should be 
more broadly shared. 


SAMHSA Response 


Automated electronic health 
information systems can be programmed 
to flag specific patient information for 
medical personnel to use in determining 
whether a bona fide medical emergency 
exists and may be programmed to 
provide alerts to authorized providers. 
However, as SAMHSA has explained in 
previous FAQ guidance, one may not 
automate the determination of a medical 
emergency. 


Public Comments 


Many commenters requested 
examples of emergency situations in 
order to minimize confusion among 
providers and organizations as to the 
circumstances under which medical 
emergencies would be valid. Many of 
these commenters provided their own 
instances requesting clarification if 
disclosure would be necessary. 


SAMHSA Response 


SAMHSA plans to provide the 
requested examples in subregulatory 
guidance after the publication of this 
final rule. 


3. Documentation of Medical Emergency 


Public Comments 


Many commenters argued for removal 
of the requirement that a part 2 program 
immediately document a disclosure 
pursuant to a medical emergency. A 
commenter stated that SAMHSA should 
simplify the existing onerous 
documentation requirements that 
impede vital sharing of information. 
Another commenter suggested part 2 
programs should rely on other 
functionalities that retain disclosure and 
specific information related to the 
medical emergency, such as audit 
reports. 

A commenter suggested the language 
be modified to allow the part 2 program 
to document the disclosure “promptly”’ 
rather than “immediately.” 

Other commenters suggested 
eliminating the requirement to provide 
“the name of the medical personnel to 
whom disclosure was made.”’ 

Another commenter asserted that the 
rule should allow an HIE to maintain 
documentation of disclosures for the 
part 2 program and provide ongoing 
access to such information. 

A commenter suggested that a “‘list of 
the information disclosed’’ be added to 
the list of information that must be 
entered into the patient record at the 
time of the emergency disclosure. 


SAMHSA Response 


SAMHSA is not convinced of the 
benefit of replacing “immediately” with 
“promptly,” particularly since neither 
term is defined in the final rule. With 
regard to the suggestion to eliminate the 
requirement to provide “‘the name of the 
medical personnel to whom disclosure 
was made,” the current (1987) part 2 
regulations (as well as the regulatory 
language in the NPRM) require part 2 
programs to document the name of the 
medical personnel to whom disclosure 
was made and their affiliation with any 
health care facility because it is 
important for that information to be 
available to the part 2 program and the 
patient. 


4. Other Comments on Medical 
Emergencies 


Public Comments 


Some commenters suggested that 
SAMHSA expand who is authorized to 
access emergency records. Some 
commenters requested the definition of 
“medical personnel’ include any 
professional who provides health- 
related services, including behavioral 
health services, rather than being 
limited to medical doctors, nurses, and 
emergency medical technicians. Other 
commenters suggested the language be 
changed so that ‘non-medical 
personnel” who are currently working 
with clients in an emergency situation 
have access to the patient emergency 
record. A commenter argued that 
substance use disorder patients 
commonly face medical emergencies 
and therefore it is prudent for an 
emergency department be named or 
identified under the “general 
disclosure” provision. 


SAMHSA Response 


Part 2 allows patient identifying 
information to be disclosed to medical 
personnel in a medical emergency. Part 
2 does not define the term “medical 
personnel” but merely provides that 
information can be given to medical 
personnel who have a need for 
information about a patient in a bona 
fide medical emergency. It is up to the 
health care provider or facility treating 
the emergency to determine the 
existence of a medical emergency and 
which personnel are needed to address 
the medical emergency. The name of the 
medical personnel to whom the 
disclosure was made, their affiliation 
with any health care facility, the name 
of the individual making the disclosure, 
the date and time of the disclosure, and 
the nature of the medical emergency 
must be documented in the patient’s 
records by the part 2 program disclosing 
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the information. SAMHSA does not 
have the authority to permit information 
to be disclosed to “non-medical 
personnel” pursuant to a medical 
emergency because the authorizing 
statute for the regulations codified at 42 
CFR part 2 limits disclosures to 
“medical personnel.” 


With regard to identifying emergency 
departments under the “general 
disclosure” provision, the medical 
emergency exception requires that a 
provider determine that a bona fide 
medical emergency exists and that a 
patient’s visit to an emergency room 
does not automatically constitute such 
an emergency. SAMHSA reiterates that 
there is a difference between refusal to 
consent and being incapable of 
consenting to disclosure. 


Public Comments 


Commenters requested clarification 
on which entity, the receiving 
emergency department or HIE, would be 
obligated to maintain part 2-compliance 
with information received through a 
declared patient emergency. A 
commenter argued the rule should state 
that a hospital emergency room or other 
health care provider that obtains 
program information under the medical 
emergency exception would not be 
subject to part 2 rules with respect to 
such program information. 


SAMHSA Response 


Part 2 requires that when a disclosure 
is made in connection with a medical 
emergency, the part 2 program must 
document in the patient’s record the 
name and affiliation of the recipient of 
the information, the name of the 
individual making the disclosure, the 
date and time of the disclosure, and the 
nature of the emergency. Thus, data 
systems must be designed to ensure that 
the part 2 program is notified when a 
“break the glass’ disclosure occurs and 
part 2 records are released pursuant to 
a medical emergency. The notification 
must include all the information that 
the part 2 program is required to 
document in the patient’s records. The 
information about emergency 
disclosures should also be kept in the 
HIE’s electronic system. Regarding the 
requests for clarification on part 2 
applicability to information disclosed 
pursuant to a medical emergency, 
SAMHSA understands the importance 
of these questions. However, because 
these issues are not related to specific 
proposals made in the NPRM, SAMHSA 
plans to address them in subregulatory 
guidance after the publication of the 
final rule. 


Public Comments 


A commenter warned that emergency 
disclosures for requesting of part 2 
records can occur by means other than 
solely through an HIE. 


SAMHSA Response 


The EHR is the vehicle for the 
disclosure of the part 2 record but not 
the decision-maker. The name of the 
person who makes the determination to 
disclose and discloses the information 
electronically through an EHR system 
should be recorded. SAMHSA clarifies 
that the example used of an HIE was not 
meant to be exhaustive to include all 
potential sources of disclosures. 


N. Research (§ 2.52) 


SAMHSA is modifying this section 
from the regulatory text proposed, as 
described in detail below. SAMHSA is 
implementing several changes to the 
research provision. First, we have 
revised the section heading by deleting 
the word “‘activities.”’ In addition, 
SAMHSA has revised the research 
exception to permit data protected by 42 
CFR part 2 to be disclosed by any 
individual or entity that is in lawful 
possession of part 2 data (lawful holder 
of part 2 data) under certain conditions. 

SAMHSA also addressed data 
linkages because the process of linking 
two or more streams of data opens up 
new research opportunities and 
potential risks. In the NPRM, SAMHSA 
proposed to permit researchers to 
request to link data sets that include 
patient identifying information if (1) the 
data linkage uses data from a federal 
data repository, and (2) the project, 
including a data protection plan, is 
reviewed and approved by an 
Institutional Review Board (IRB) 
registered with the Office for Human 
Research Protections (OHRP) in 
accordance with 45 CFR part 46. 
SAMHSA requested comments in the 
NPRM on whether to expand the data 
linkages provision beyond federal data 
repositories. After considering the 
public comments received on this topic, 
as discussed in greater detail below, 
SAMHSA has revised the data linkages 
provision to permit researchers to link 
to federal and non-federal data 
repositories provided certain conditions 
are met. 

The revised § 2.52 permits a 
researcher to include part 2 data in 
reports only in aggregate form. 
SAMHSA clarified in this final rule that, 
with respect to these types of reports, 
the patient identifying information has 
been rendered non-identifiable such 
that the information cannot be re- 
identified and serve as an unauthorized 


means to identify a patient, directly or 
indirectly as having or having had a 
substance use disorder. SAMHSA 
requires any individual or entity 
conducting scientific research using 
patient identifying information to meet 
additional requirements to ensure 
compliance with confidentiality 
provisions under part 2. Note that de- 
identified information can be shared for 
the purposes of research; this was the 
status quo under the previous part 2 
regulations, and this final rule does not 
change that. 

Finally, § 2.52 addresses, in addition 
to the maintenance of part 2 data, the 
retention and disposal of such 
information used in research. SAMHSA 
expanded the provisions in § 2.16 
(Security for records) and references the 
policies and procedures established 
under § 2.16 in revised § 2.52. The 
NPRM language in (a)(1) only referenced 
“the HIPAA privacy rule at 45 CFR 
164.512(i)” while the final rule 
regulatory language in (a)(1) now says: 
“consistent with the HIPAA Privacy 
Rule at 45 CFR 164.508 or 164.512(i), as 
applicable’. 


1. General 
Public Comments 


Many commenters expressed support 
for revising the research exception to 
permit data protected by part 2 to be 
disclosed to qualified personnel for the 
purpose of conducting scientific 
research by a part 2 program or any 
other individual or entity that is in 
lawful possession of part 2 data (lawful 
holder of part 2 data). Many 
commenters expressed general support 
for expanding the circumstances in 
which research may be conducted with 
part 2 data. Many commenters 
supported disclosure of data from other 
lawful holders of substance use disorder 
records with researchers. Commenters 
supported the prevention of data 
scrubbing of records and other data 
suppression related to substance use 
disorders. Some commenters specified 
support to stop ‘“‘suppression”’ of 
Medicare and Medicaid data from any 
records associated with substance use 
disorder. 


SAMHSA Response 


SAMHSA’s revisions to the research 
provision address these concerns 
regarding access to substance use 
disorder information from CMS claims/ 
encounter data disclosed for research 
purposes. First, the research provision 
permits part 2 programs and other 
lawful holders of patient identifying 
information (not just part 2 program 
directors) to disclose data protected by 
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42 CFR part 2 to qualified personnel for 
the purpose of conducting scientific 
research if the researcher provides 
documentation of meeting certain 
requirements related to other existing 
protections for human research. Second, 
SAMHSA also addressed data linkages 
to enable researchers holding part 2 data 
to link to data sets from federal and non- 
federal data repositories provided 
certain conditions are met as spelled out 
in section 2.52. 


Public Comments 


Another commenter supported the 
use of data use agreements for all 
research transfers of part 2 information 
and requested the proposed regulation 
provide examples of these agreements. 
A commenter stated that the agency 
should allow research of additional 
administrative data sets such as those 
held by HIEs, ACOs, state Medicaid 
agencies, commercial insurance 
companies, and Medicare Advantage 
plans with appropriate IRB reviews. 


SAMHSA Response 


Although not required by § 2.52, the 
regulation would permit any lawful 
holder of patient identifying 
information to require a researcher sign 
a data use agreement spelling out these 
requirements. 

SAMHSA is adopting its proposal 
regarding the research exception to 
permit data protected by 42 CFR part 2 
to be disclosed to qualified personnel 
for the purpose of conducting scientific 
research by a part 2 program or any 
other individual or entity that is in 
lawful possession of part 2 data if the 
researcher provides documentation of 
meeting certain requirements related to 
other existing protections for human 
research. If an entity meets the 
requirements of an “other lawful holder 
of patient identifying information,” as 
described in the preamble of this final 
rule, the entity would be authorized to 
disclose part 2 data for research 
purposes in accordance with § 2.52. 


Public Comments 


Another commenter asked a series of 
questions related to the release of data 
by lawful holders that are not part 2 
programs (e.g., HIEs). The commenter 
asked how these HIEs, third-party 
payers, etc., will be able to determine 
that a researcher will maintain the 
confidential patient identifying 
information in accordance with the 
security requirements set out in 
§ 2.52(a)(2); how will the “lawful 
holders”’ be able to assess whether the 
potential benefits of the research 
outweighs any risks to confidentiality as 
required by § 2.52(a)(3); and what 


individual at these various “lawful 
holders” will be the equivalent of a part 
2 program director and have the 
authority to make these decisions. The 
commenter stated that it is almost 
certain that these ‘“‘lawful holders”’ will 
not sufficiently know the confidentiality 
regulations so as to ensure the 
researchers are aware of, and will 
comply with the prohibition against re- 
disclosure specified in § 2.52(b). 


SAMHSA Response 


SAMHSA examined the existing 
regulations that protect human subjects 
in research and concluded that, if those 
requirements were fulfilled, 42 CFR part 
2 would ensure confidentiality 
protections consistent with the statute, 
while providing the expanded authority 
for disclosing patient identifying 
information. Requirements that ensure 
compliance with HIPAA and the 
Common Rule (e.g., IRB and/or privacy 
board review) with respect to research 
provide these assurances, including that 
the researcher has a plan to protect and 
destroy identifiers and to not re-disclose 
the information in an unauthorized 
manner. The individual who would 
make the determination to disclose part 
2 data on behalf of a part 2 program or 
other lawful holder would be the 
individual designated as director or 
managing director, or individual 
otherwise vested with authority to act as 
chief executive officer or their designee. 
In addition, there is nothing in the 
regulation that requires this individual 
to disclose the data, even if the 
researcher provides documentation of 
compliance with the requirements 
under § 2.52. 


Public Comments 


A commenter stated that the proposed 
rule adopted an overly narrow approach 
to disclosures for scientific research, by 
limiting part 2 disclosures only to 
entities or individuals subject to the 
HIPAA Privacy Rule or the HHS 
Common Rule. The commenter stated 
that because the commenter is not a 
HIPAA covered entity or business 
associate under HIPAA, and is not 
currently subject to the Common Rule, 
the commenter does not appear to meet 
the conditions required for disclosure 
for scientific research. The commenter 
stated that limiting disclosures for 
research purposes only to entities or 
individuals subject to the HIPAA 
Privacy Rule and/or Common Rule is 
inconsistent with the language and 
intent of the governing statute, which 
broadly authorizes disclosures to 
qualified personnel for the purposes of 
conducting scientific research.” (42 
U.S.C. 290dd—2(b)(2)(B)). The 


commenter urged SAMHSA to interpret 
research broadly to include state 
analytic activities to identify patterns 
and variations in the cost, quality and 
delivery of health care, similar to the 
approach adopted by CMS for the 
release of CMS claims/encounter data to 
state agencies. 


SAMHSA Response 


The revised research exception will 
now permit data protected by 42 CFR 
part 2 to be disclosed for research 
purposes by part 2 programs and other 
lawful holders of patient identifying 
information not just by part 2 program 
directors as the 1987 final rule 
regulations require. Because SAMHSA 
is expanding the authority for disclosing 
patient identifying information beyond 
part 2 program directors, it was 
necessary to establish a mechanism to 
ensure that confidentiality protections 
consistent with the statute were fulfilled 
in all cases. SAMHSA determined that 
the existing regulations that protect 
human subjects in research would 
accomplish this, and, therefore, decided 
to limit the permitted disclosures for 
research purposes under part 2 to 
instances in which the researchers 
would meet the requirements governing 
their receipt of protected health 
information from a covered entity under 
the HIPAA privacy rule and/or the 
requirements governing research on 
human subjects under the HHS 
Common Rule. Under this expanded 
authority, the HIPAA standards would 
be applied as a test regardless of 
whether the data source for the 
disclosure was a HIPAA covered entity. 

Under 42 CFR part 2, the research 
provision provides clear policies on 
conducting research and protecting the 
confidentiality of patient identifying 
information, including their obligations 
to comply with requirements under 42 
CFR 2.16, Security for Records. 


Public Comments 


A commenter stated that SAMHSA, in 
coordination with state regulators, 
should work together to issue guidance 
related to the application of the federal 
part 2 requirements to substance use 
disorder information that may be 
requested by states for public health and 
other purposes. 


SAMHSA Response 


The statute authorizing part 2 
contains specific limited exceptions to 
the consent requirement, and making a 
change to exempt states from this 
requirement, under certain conditions, 
would be inconsistent with the statutory 
scheme. 


6098 


Federal Register/Vol. 82, No. 11/Wednesday, January 18, 2017/Rules and Regulations 








Public Comments 


One commenter stated that the 
expansion of the disclosure of patient 
identifying information should be 
limited to CMS and/or state 
governmental agencies that have 
authority over substance use disorder 
treatment services. The commenter 
stated that an unintended consequence 
of implementing the potential of wide- 
spread disclosure of previously 
protected information is that the 
protections the confidentiality 
regulations afforded patients will be 
eviscerated as essentially all the 
recipients of protected information, for 
the last 40 years will no longer be bound 
by the prohibition of re-disclosure, 
subjecting the patient’s information to 
re-disclosure, without the patient’s 
consent, to any individual or entity 
representing that they are conducting 
scientific research. The commenter 
argued that SAMHSA should limit the 
number of entities who can release 
patient identifying information to those 
who actually have the resources to 
verify that such disclosure to a 
researcher is for a valid research 
purpose; can ensure proper research 
protections are in place; and affirm the 
patient will not be more vulnerable as 
a result of the disclosure. The vast 
majority of lawful holders cannot 
adequately perform this analysis and 
therefore cannot protect the patient’s 
interest as required under the part 2 
regulations. 


SAMHSA Response 


SAMHSA declines to narrow the 
scope of the research provision as 
suggested. In developing the proposed 
rule, SAMHSA examined the existing 
regulations that protect human subjects 
in research and concluded that, if those 
requirements were fulfilled, 42 CFR part 
2 would ensure confidentiality 
protections consistent with the statute, 
while providing the expanded authority 
for disclosing patient identifying 
information. Specifically, IRBs 
determine that, when appropriate, there 
are adequate provisions to protect the 
privacy of subjects and to maintain the 
confidentiality of data before approving 
the research (45 CFR 46.111(a)(7)). 
SAMHSA is interested in affording 
patients protected by 42 CFR part 2 the 
same opportunity to benefit from 
advanced research protocols while 
continuing to safeguard their privacy, 
and narrowing the scope of lawful 
holders that may disclose part 2 data for 
research purposes, as suggested by the 
commenter would limit the ability of 
patients to benefit from these research 
efforts. 


Public Comments 


Other commenters expressed concern 
about the expanded research exception. 
A commenter stated that the proposed 
provision would create a wide 
opportunity for data sharing with 
increased risk of adverse impact. 
Similarly, a commenter warned that the 
research exception revision poses 
unnecessary risk of data breach of 
patient’s confidentiality. 

SAMHSA received a large number of 
comments, particularly from 
researchers, expressing support for the 
revised research provision. These 
commenters expressed concern that, 
without this revised provision, 
researchers’ access to substance use 
disorder-related data in Medicare and 
Medicaid claims/encounter databases 
would be limited to instances in which 
consent could be obtained. A number of 
commenters cited a study by K. Rough 
et al. published in the March 15, 2016, 
issue of the Journal of the American 
Medical Association that found the 
exclusion of part 2 data from Medicare 
and Medicaid claims/encounter data in 
research contexts coincided with 
decreases in the rates of diagnoses for 
certain conditions commonly co- 
occurring with substance use disorder. 
Commenters reiterated a point made in 
the article that underestimating 
diagnoses has the potential to bias 
health services research studies and 
epidemiological analyses. Some 
commenters also stated that 
implementing appropriate data 
safeguards can protect patient privacy 
while still allowing researchers access 
to critical data. 


SAMHSA Response 


SAMHSA agrees with the 
commenters’ assertions regarding how 
the exclusion of this substance use 
disorder data hampers vital public 
health research, particularly in light of 
the growing national opioid epidemic 
and is finalizing the research data access 
proposal in the final rule. 

With respect to concerns about 
privacy and the expansion of the 
research exception, SAMHSA clarifies 
that the research exception is intended 
to permit data protected by 42 CFR part 
2 to be disclosed to qualified personnel 
for the purpose of conducting scientific 
research by a part 2 program or any 
other individual or entity that is in 
lawful possession of part 2 data (lawful 
holder of part 2 data). 

The research provision (§ 2.52(b)) 
already includes a requirement that the 
researcher receiving the part 2 data is 
fully bound by 42 CFR part 2. Although 
not required by § 2.52, the regulation 


would permit any lawful holder of 
patient identifying information to 
require a researcher to sign a data use 
agreement spelling out these 
requirements. Lawful holders of patient 
identifying information may disclose 
part 2 data without patient consent for 
research purposes only under the 
specified circumstances under the 
research provision. 


Public Comments 


A commenter requested clarification 
as to whether “lawful holders” may 
disclose part 2 data to third parties to 
conduct research or whether the “lawful 
holder” has to conduct the research 
itself. 

Citing the HIPAA tracking criteria for 
disclosures outside the entity pursuant 
to a waiver of authorization, another 
commenter asked SAMHSA to clarify 
what tracking requirements would 
apply to disclosure of part 2 data for 
purposes of research. This commenter 
also asked SAMHSA to clarify whether 
disclosure for purposes of research 
means sharing the data with anyone for 
research purposes or only applies when 
part 2 data is shared with an outside 
entity. 


SAMHSA Response 


The research provision permits part 2 
programs and other lawful holders of 
patient identifying information to 
disclose data protected by 42 CFR part 
2 to qualified personnel for the purpose 
of conducting scientific research if the 
researcher provides documentation of 
meeting certain requirements related to 
other existing protections for human 
research. ‘‘Qualified personnel” is a 
statutory term and SAMHSA has 
clarified that this term includes those 
individuals who meet the requirements 
specified in the research provision to 
receive part 2 data for the purpose of 
conducting scientific research. 

The proposed rule did not include a 
tracking requirement for information 
disclosed under the research exception 
and so we are declining to include such 
a requirement in the final rule. 


Public Comments 


Another commenter reasoned that 
municipalities should be able to receive 
and match patient identifying 
information and then use the de- 
identified data for planning and analysis 
purposes (e.g., determining how many 
criminal justice-involved defendants 
have a previous history of substance use 
disorder treatment). 


SAMHSA Response 


SAMHSA declines to make the 
recommended expansion to the research 
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provision. SAMHSA is revising the 
research exception to permit data 
protected by 42 CFR part 2 to be 
disclosed to qualified personnel for the 
purpose of conducting scientific 
research by a part 2 program or any 
other individual or entity that is in 
lawful possession of part 2 data (lawful 
holder of part 2 data). Qualified 
personnel” is a statutory term and 
SAMHSA has clarified that this term 
includes those individuals who meet 
the requirements specified in the 
research provision to receive part 2 data 
for the purpose of conducting scientific 
research. This term would not preclude 
researchers from conducting such 
research efforts on behalf of a 
municipality. However, part 2 prohibits 
researchers from re-disclosing patient 
identifying information except back to 
the individual or entity from whom that 
patient identifying information was 
obtained or as permitted under § 2.52(c) 
of this section, and permits researchers 
to include part 2 data in reports only in 
aggregate form in which patient 
identifying information has been 
rendered non-identifiable such that the 
information cannot be re-identified and 
serve as an unauthorized means to 
identify a patient, directly or indirectly, 
as having or having had a substance use 
disorder. 


Public Comments 


A commenter expressed support for 
the strengthened proposed research 
provision whereby patient identifying 
information may be released only after 
the program director has determined the 
research recipient has obtained 
appropriate IRB and/or privacy board 
approval and consent. Another 
commenter asserted that information 
that is de-identified and presented in 
aggregate should be permitted to be 
more readily used in research. The 
commenter stated that this was another 
area where SAMHSA can promote 
greater alignment with HIPAA, which 
provides allowances for covered 
information that is de-identified and 
presented in the aggregate. 


SAMHSA Response 


Part 2 only applies to information that 
would identify a patient as having or 
having had a substance use disorder. 
The revised research provision allows 
researchers to include part 2 data in 
reports only in aggregate form in which 
patient identifying information has been 
rendered non-identifiable such that the 
information cannot be re-identified and 
serve as an unauthorized means to 
identify a patient, directly or indirectly, 
as having or having had a substance use 
disorder. The revised § 2.52 also 


requires researchers to maintain and 
destroy patient identifying information 
in accordance with the security policies 
and procedures established under 

§ 2.16. SAMHSA aligned policy with 
HIPAA where possible. However, 42 
CFR part 2 and its governing statute are 
separate and distinct from HIPAA, and 
the part 2 regulations use different 
terminology than used in HIPAA. 


Public Comments 


A commenter requested clarification 
on whether data disclosed to qualified 
personnel under § 2.52 would include 
“ddentifiable information.” For example, 
this commenter asked why a name 
would be relevant if the data and 
information would be used for research. 
Another commenter stated that certain 
patient identifying information such as 
social security numbers should not be 
included, as it serves no purpose to 
researchers. The commenter stated that 
this can easily be mitigated by data 
segmentation and consent management, 
but until then the rule should be 
maintained in that the part 2 program 
director is the only individual 
authorized to release of information. 


SAMHSA Response 


The part 2 data that may be disclosed 
for research purposes include patient 
identifying information, as that term is 
defined in § 2.11. One reason 
researchers would need identifiable 
information is to link part 2 data to 
other data sets, or for conducting data 
linkages. SAMHSA also proposed to 
address data linkages, which requires 
identifiable information, because the 
process of linking two or more streams 
of data opens up new research 
opportunities and potential risks. For 
example, the practice of requesting data 
linkages from other data sources to 
study the longitudinal effects of 
treatment is becoming widespread. 
SAMHSA is interested in affording 
patients protected by 42 CFR part 2 the 
same opportunity to benefit from these 
advanced research protocols while 
continuing to safeguard their privacy. 
Likewise, SAMHSA revised the research 
provision to enable part 2 data to be 
disclosed for research purposes by part 
2 programs and other lawful holders of 
patient identifying information so that 
patients may benefit from the additional 
scientific research that will be 
conducted and that will facilitate 
continual quality improvement of part 2 
programs and the important services 
they offer. This additional research 
would not be able to be conducted if 
SAMHSA were to continue to maintain 
the existing part 2 research provision, as 
suggested. 


2. Suggestions for Improvement of the 
Research Provisions 


Public Comments 


Some commenters made suggestions 
to improve privacy protections as it 
relates to research. A commenter 
suggested that the research provision 
require a certificate of confidentiality as 
a prerequisite to researcher access to 
part 2 information. 


SAMHSA Response 


The research provision (§ 2.52(b)) 
already includes a requirement that the 
researcher receiving the part 2 data is 
fully bound by 42 CFR part 2. Although 
not required by § 2.52, the regulation 
would permit any lawful holder of 
patient identifying information to 
require a researcher sign a data use 
agreement spelling out these 
requirements. 

According to NIH, certificates of 
confidentiality do not take the place of 
good data security or clear policies and 
procedures for data protection, which 
are essential to the protection of 
research participants’ privacy. Under 42 
CFR part 2, the research provision 
provides clear policies on conducting 
research and protecting the 
confidentiality of patient identifying 
information, including their obligations 
to comply with requirements under 42 
CFR 2.16, Security for Records. 


Public Comments 


A commenter concluded that the 
number of entities who could release 
patient identifying information should 
be limited to those who have the 
resources to verify the research is valid 
and the patient will not become more 
vulnerable as result of disclosure. A 
commenter suggested that strict policies 
be in place at all levels of research 
organizations to assure that prohibited 
re-disclosure of patient information 
does not occur. A commenter asserted 
that aligning part 2’s requirements for a 
valid written consent with those 
applicable under the HIPAA Privacy 
Rule would avoid confusion. One 
commenter suggested that the filing of 
conflict of interest statements by the 
primary investigators and co- 
investigators be required. A commenter 
suggested a change in language to clarify 
that researchers will resist any judicial 
demand for access to patient records, 
except as permitted by these 
regulations. 


SAMHSA Response 


SAMHSA examined the existing 
regulations that protect human subjects 
in research and concluded that, if those 
requirements were fulfilled, 42 CFR part 
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2 would ensure confidentiality 
protections consistent with the statute, 
while providing the expanded authority 
for disclosing patient identifying 
information. Requirements that ensure 
compliance with HIPAA and the 
Common Rule (e.g., IRB and/or privacy 
board review) with respect to research 
provide these assurances, including that 
the researcher has a plan to protect and 
destroy identifiers and to not re-disclose 
the information in an unauthorized 
manner. Disclosure of part 2 data also 
would be allowable for research that 
qualifies for exemption under the 
Common Rule due to the lower risk to 
subjects in the circumstances where 
exemptions apply, and this has been 
clarified in § 2.52(a)(2). The individual 
who would make the determination to 
disclose part 2 data on behalf of a part 

2 program or other lawful holder would 
be the individual designated as director 
or managing director, or an individual 
otherwise vested with authority to act as 
chief executive officer or their designee. 
In addition, there is nothing in the 
regulation that requires this individual 
to disclose the data, even if the 
researcher provides documentation of 
compliance with the requirements 
under § 2.52. 

SAMHSA declines to make the 
recommended change regarding 
conflicts of interest to the research 
section (§ 2.52). The revised research 
provision requires reviews, either by an 
IRB and/or privacy board, for the 
specific purpose of minimizing risk to 
patients and their privacy. The research 
provision also requires researchers 
requesting data linkages, as described in 
§ 2.52(c), to have the request reviewed 
and approved by an IRB registered with 
the Department of Health and Human 
Services, Office for Human Research 
Protections in accordance with 45 CFR 
part 46 to ensure that patient privacy is 
considered and the need for identifiable 
data is justified. In addition, HHS has 
issued subregulatory guidance that, to 
the extent financial interests may affect 
the rights and welfare of human subjects 
in research, IRBs, institutions, and 
investigators need to consider what 
actions regarding financial interests may 
be necessary to protect those subjects. 

SAMHSA proposed to require any 
individual or entity conducting 
scientific research using patient 
identifying information to meet 
additional requirements to ensure 
compliance with confidentiality 
provisions under part 2. Among these 
are a provision (§ 2.52(b)(1)) that 
“requires researchers to be fully bound 
by these regulations and, if necessary, to 
resist in judicial proceedings any efforts 
to obtain access to patient records 


except as permitted by these 
regulations.” 


Public Comments 


Another commenter suggested that 
the rule allow an extended disclosure 
period specific to research that could be 
included in the initial disclosure 
approval. 


SAMHSA Response 


The part 2 regulations do not specify 
a disclosure period in the research 
provision. 


Public Comments 


A commenter said that it would bring 
clarity and aid entities seeking to 
comply with the proposed rule if it 
included a definition of ‘‘repository”’ 
and of “scientific research.’’ The 
commenter stated that the HHS 
Common Rule provisions, referenced 
repeatedly in the proposed rule, apply 
only to activities which meet the 
definition of research involving human 
subjects. It is not clear whether 
SAMHSA intends to adopt Common 
Rule definitions or create a separate 
scheme. 


SAMHSA Response 


SAMHSA did not propose a 
regulatory definition for these terms in 
the NPRM and respectfully declines to 
define the terms in the final rule as 
suggested. “Scientific research” is a 
statutory term that is not defined. 
Researchers requesting part 2 data for 
the purposes of conducting scientific 
research and whose research is subject 
to the Common Rule would need to 
comply with requirements for the 
Common Rule as well as those of part 
2. SAMHSA refers to the term 
“repository” in the context of the data 
linkages provision, and intended the 
term to broadly refer to data that is 
stored and managed. SAMHSA may 
address undefined terms that require 
further elaboration in subregulatory 
guidance or in subsequent rulemaking. 


Public Comments 


One commenter supported provisions 
that allow states to work with outside 
entities, which are HIPAA and Common 
Rule compliant, to conduct research that 
will improve care and drive quality 
outcomes for Medicaid beneficiaries 
with a substance use disorder. 


SAMHSA Response 


SAMHSA supports the efforts of part 
2 stakeholders to work together 
collaboratively and in compliance with 
the law. Part 2 prohibits researchers 
from re-disclosing patient identifying 
information except back to the 


individual or entity from whom that 
patient identifying information was 
obtained or as permitted under the data 
linkages provision. Researchers may 
include part 2 data in reports only in 
aggregate form in which patient 
identifying information has been 
rendered non-identifiable such that the 
information cannot be re-identified and 
serve as an unauthorized means to 
identify a patient, directly or indirectly, 
as having or having had a substance use 
disorder. 


3. HIPAA and HHS Common Rule 
Requirements 


Public Comments 


Many commenters expressed support 
for aligning requirements for disclosure 
of information for conducting research 
with existing requirements for research 
as regulated by the HHS Common Rule 
(45 CFR part 46). A commenter 
remarked that an alternate approach 
would be to create a single category of 
consent for research purposes. 


SAMHSA Response 


In this part 2 final rule, SAMHSA has 
implemented certain revisions that are 
predicated on the current version of the 
Common Rule (45 CFR part 46, 
Protection of Human Subjects, 
promulgated in 1991). Should 
conflicting policies be created in the 
future, SAMHSA will take appropriate 
action (e.g., issue an NPRM or technical 
correction). With respect to creating a 
single category of consent for research, 
the existing consent requirements 
permit patient consent for the disclosure 
of patient identifying information for 
the purpose of scientific research. 


4. Data Linkages 


SAMHSA revised § 2.52 from the 
proposed regulatory text by separating 
out the data linkages provisions into its 
own paragraph, § 2.52(c) for purposes of 
clarity and readability. In addition, the 
final § 2.52 addresses data linkages to 
enable researchers holding part 2 data to 
link to data sets from federal and non- 
federal data repositories as explained in 
greater detail below. SAMHSA proposed 
to permit researchers to request to link 
data sets that include patient identifying 
information under certain conditions. 
We proposed to limit the data 
repositories from which a researcher 
may request data for data linkages 
purposes to federal data repositories 
because federal agencies that maintain 
data repositories have policies and 
procedures in place to protect the 
security and confidentiality of the 
patient identifying information that 
must be submitted by a researcher in 
order to link the data sets. SAMHSA 
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sought input from the public regarding 
whether to expand the data linkages 
provision beyond federal data 
repositories; what confidentiality, 
privacy, and security safeguards are in 
place for those non-federal data 
repositories; and whether those 
safeguards are sufficient to protect the 
security and confidentiality of the 
patient identifying information. 


Public Comments 


Several commenters suggested that 
researchers be allowed to perform data 
linkages between data sets containing 
substance use disorder data. However, 
some warned that the proposed rule was 
unclear regarding data linkages. One 
commenter said SAMHSA should 
clarify that researchers have the option 
to submit data to a federal data 
repository, like CMS, for linking of 
federal data, but are not required to do 
so. Other commenters argued that 
proposed § 2.52 should explicitly allow 
researchers to perform their own data 
linkages between data sets containing 
substance use disorder records. A 
commenter asserted that non-profit 
entities who engage in research should 
be distinct from for-profit organizations 
and that for-profit organizations should 
not be allowed access to large linked 
data sets. 

Many commenters expressed support 
for permitting linkage with non-federal 
repositories where adequate, flexible 
safeguards are in place to protect the 
security and confidentiality of part 2 
data. A commenter asserted that only 
allowing researchers to combine 42 CFR 
part 2 records received without patient 
consent with records from a federal 
repository is not consistent with the 
goal of enhancing research conducted 
with data protected by part 2. In 
particular, commenters pointed out that 
many state, local, tribal, and corporate 
data repositories with hospital 
emergency department and discharge, 
trauma registry, and birth and death 
records would not be covered by the 
federal data linkages language in the 
proposed rule, thereby hampering 
important research and evaluation 
activities. Additionally, commenters 
supported the expansion of data 
linkages in order to better support the 
analysis required by evolving health 
care delivery and payment models, such 
as Accountable Care Organizations. 

Commenters urged that appropriate 
privacy and security protections are in 
place, to include physical security and 
disposition of data if SAMHSA permits 
linkages to non-federal data repositories. 
One commenter remarked that 
protections imposed by federal 
repositories that are not imposed by 


other repositories should be identified 
and considered as requirements, so as 
not to lose the insight offered through 
additional linkage opportunities. 
Another suggested implementation of 
data use agreement language to non- 
federal repositories. A commenter 
reasoned IRBs or privacy officers could 
ensure other repositories are in 
compliance with part 2 requirements. 

However, a few commenters did not 
support expansion of data linkage to 
non-federal repositories. Some 
commenters expressed concerns about 
the security of data in both federal and 
non-federal data repositories citing 
examples of healthcare data breaches. 
One commenter concluded data linkage 
to any data repositories be withdrawn 
from the proposed language citing the 
federal agencies as well as health care 
data repositories inability to adequately 
safeguard personal information. Another 
commenter suggested data repositories 
performing the data linkages, if outside 
of part 2 entity, not be given information 
subject to part 2. 


SAMHSA Response 


SAMHSA would like to clarify that 
the data linkages provision is not 
intended to prohibit a researcher from 
linking a data set in the researcher’s 
possession that contains part 2 data 
with a data set from a third party source, 
so long as the part 2 data is not further 
disclosed in the data linkage process 
and the researcher adheres to any 
applicable confidentiality, privacy, and 
security requirements and safeguards. 
Regarding the comment on for-profit 
organizations, whether the researcher is 
a for-profit or not-for-profit 
organization, the researcher would be 
required to have IRB approval and/or 
privacy board review of their research, 
and, additionally, IRB approval of the 
research project that contains the data 
linkage component, to ensure risks to 
the patient and their privacy are 
minimized. In addition, part 2 prohibits 
researchers from re-disclosing patient 
identifying information except back to 
the individual or entity from whom that 
patient identifying information was 
obtained or as permitted under the data 
linkages provision. Researchers may 
include part 2 data in reports only in 
aggregate form in which patient 
identifying information has been 
rendered non-identifiable such that the 
information cannot be re-identified and 
serve as an unauthorized means to 
identify a patient, directly or indirectly, 
as having or having had a substance use 
disorder. 

In response to public comments, 
SAMHSA has decided in the final rule 
to permit data linkages to both federal 


and non-federal data repositories subject 
to the conditions explained below. 
SAMHSA believes that these changes 
will enhance research while still 
ensuring the protection of part 2 patient 
identifying information. SAMHSA 
agrees with commenters that many non- 
federal data repositories, as well as 
federal data repositories, contain data 
that is critical to research and, therefore, 
SAMHSA is expanding data linkages 
provisions. 

In the data linkages provision of this 
final rule (§ 2.52(c)), SAMHSA revises 
its proposal to enable researchers 
holding part 2 data to link to data sets 
from any repository, including non- 
federal repositories, provided that the 
linkage has been reviewed and 
approved by an Institutional Review 
Board registered with the Department of 
Health and Human Services, Office for 
Human Research Protections in 
accordance with 45 CFR part 46 to 
ensure that patient privacy is 
considered and the need for identifiable 
data is justified. In addition to having 
the request reviewed and approved by 
an IRB, the researcher must ensure that 
patient identifying information obtained 
under the rule’s research provisions is 
not provided to law enforcement 
agencies or officials. SAMHSA states in 
the final rule that the data repository is 
fully bound by the provisions of part 2 
upon receipt of the patient identifying 
data and must, after providing the 
researcher with the linked data, destroy 
or delete the linked data from its 
records, including sanitizing any 
associated hard copy or electronic 
media, to render the patient identifying 
information non-retrievable in a manner 
consistent with the policies and 
procedures established under § 2.16 
Security for records. In addition, the 
data repository must ensure that any 
data obtained pursuant to part 2’s 
research provisions is not provided to 
law enforcement agencies or officials. 


Public Comments 


One commenter recommended that 
SAMHSA expand data linkages beyond 
research to the broader need for it to be 
inclusive of coordinated care. The 
commenter stated that this is another 
area where SAMHSA could look to 
existing HIPAA provisions and align the 
part 2 provisions accordingly. 


SAMHSA Response 


SAMHSA declines to make the 
revision suggested by the commenter. 
The transfer of part 2 information for the 
purposes of research, as allowed under 
§ 2.52, is an exception to patient 
consent, and, therefore, the data 
linkages provision cannot be expanded 
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to other parts of the regulation. Because 
of its targeted population, part 2 
provides more stringent federal 
protections than most other health 
privacy laws, including HIPAA. 
However, SAMHSA aligned policy with 
HIPAA where possible. 


5. Multi-Payer Claims Database 


Public Comments 


Many commenters urged the final rule 
to explicitly include a statement on the 
authority granted to MPCDs (also 
referred to as APCDs) that maintain 
adequate safeguards to collect, link, and 
disseminate substance use disorder 
records without patient consent for 
research purposes. Several commenters 
argued that many states have 
established state-sponsored MPCD 
systems and urged the proposed rule to 
specifically ensure substance use 
disorder data are not systematically 
excluded from state MPCD systems, 
allowing part 2 data to be collected, 
linked, and disseminated without 
patient consent for research purposes. A 
commenter requested specific guidance 
as to whether MPCDs could be lawful 
holders of part 2 data with the same 
disclosure requirements as those for 
HIEs. A commenter stated that the rule 
should authorize state data repositories 
such as an MPCD to link part 2 data to 
other data for research purposes. 


SAMHSA Response 


For an MPCD or any entity to disclose 
part 2 data for research purposes under 
the rule’s research exception to consent 
requirements (§ 2.52), the entity must be 
a “lawful holder of patient identifying 
information.” Under the research 
provision, any lawful holder of part 2 
data may disclose the data to qualified 
researchers that meet the requirements 
under the HHS Common Rule or HIPAA 
Privacy Rule. As SAMHSA discussed in 
the NPRM preamble, a ‘“‘lawful holder’ 
of patient identifying information is an 
individual or entity who has received 
such information in accordance with the 
part 2 requirements, and, therefore, is 
bound by 42 CFR part 2. Examples of 
potential “lawful holders” of patient 
identifying information include a 
patient’s treating provider, a hospital 
emergency room, an insurance 
company, an individual or entity 
performing an audit or evaluation, or an 
individual or entity conducting 
scientific research. As permitted by the 
authorizing statute and under these 
regulations, any lawful holder of patient 
identifying information may disclose 
part 2 data without patient consent for 
research purposes under the 


circumstances specified under the 
research provision. 

Regarding the specific scenario raised 
by commenters, SAMHSA wishes to 
clarify that MPCDs and other data 
intermediaries are permitted to obtain 
part 2 data under the research exception 
provided in § 2.52, provided that the 
conditions of the research exception are 
met. Furthermore, an MPCD or data 
intermediary that obtains part 2 data in 
this fashion would be considered a 
“lawful holder’ under these final 
regulations and would therefore be 
permitted to redisclose part 2 data for 
research purposes, subject to the other 
conditions imposed under § 2.52. The 
final rule edits the language under 
paragraph 2.52(a) to clarify that the 
regulations do not prohibit such a 
disclosure. 

Except as provided in paragraph 
2.52(c), a researcher may not redisclose 
patient identifying information for data 
linkages purposes. SAMHSA’s data 
linkages provision permits researchers 
to request to link data sets that include 
patient identifying information if the 
data linkages component is reviewed 
and approved by an IRB registered with 
OHRP in accordance with 45 CFR part 
46 and certain other conditions are met. 
The data linkages provision is not 
intended to prohibit a researcher from 
linking a data set in the researcher’s 
possession that contains part 2 data 
with a data set from a third-party 
source, so long as the part 2 data is not 
further disclosed in the data linkage 
process and any applicable 
confidentiality, privacy, and other 
conditions as specified in this rule are 
adhered to. 


O. Audit and Evaluation (§ 2.53) 


SAMHSA is modifying the proposed 
language as discussed below. SAMHSA 
has revised the section heading by 
deleting the word “‘activities.” 
SAMHSA modernized this section to 
include provisions governing both paper 
and electronic patient records. In 
addition, we revised the requirements 
for destroying patient identifying 
information by citing the expanded 
Security for Records section (§ 2.16). 
Furthermore, we updated the Medicare 
or Medicaid audit or evaluation 
paragraph title to include Children’s 
Health Insurance Program (CHIP) and, 
in subsequent language, refer to 
Medicare, Medicaid, and CHIP. 

The § 2.53 revisions permit the part 2 
program, not just the part 2 program 
director, to determine who is qualified 
to conduct an audit or evaluation of the 
part 2 program. The revised language 
also permits an audit or evaluation 
necessary to meet the requirements of a 


CMS-regulated ACO or similar CMS- 
regulated organization (including a 
CMS-regulated QE), under certain 
conditions, by better aligning the 
criteria in this section with those set 
forth in the Affordable Care Act 
(regulating ACOs, in part, at 42 U.S.C. 
1395}jj). We have specified that such 
ACO or similar CMS-regulated entities 
must have in place administrative and/ 
or clinical systems. While the NPRM 
indicated both types of systems were 
required, it has been noted that some 
ACO or similar CMS-regulated entities 
will not have both clinical and 
administrative systems. We also have 
clarified in the final rule that the ACO 
or similar CMS-regulated organization 
(including a CMS-regulated QE) is 
subject to periodic evaluations by, or 
receives patient identifying information 
from, CMS or its agents. To ensure that 
patient identifying information is 
protected, the ACO or similar CMS- 
regulated organization (including a 
CMS-regulated QE) that is the subject of, 
or is conducting, the audit or evaluation 
must have a signed Participation 
Agreement with CMS or similar 
documentation that demonstrates that 
the organization and its auditors or 
evaluators must conduct the audit and 
evaluation activities in full compliance 
with all applicable provisions of 42 
U.S.C. 290dd—2 and 42 CFR part 2. 


Public Comments 


Several commenters provided 
comments with regard to § 2.53, Audit 
and Evaluation. A few commenters 
discussed the application of this section 
to Medicare and Medicaid. A couple of 
commenters recommended clarifying 
that Medicaid agencies are permitted 
under the QSO exception to disclose 
part 2 information to third-party payers 
for audit or evaluation purposes. These 
commenters also suggested that 
Medicaid and other third-party payers 
may use (third-party) contractors and 
vendors to assist beneficiaries and 
perform such activities as program 
integrity activities. The commenters 
argued that the QSO exception 
described above should include 
communications between third-party 
payers such as Medicaid agencies and 
other holders of part 2 data and QSOs 
to help ensure “operational efficiency.” 
Another commenter suggested that the 
revisions concerning the auditing 
process and Participation Agreements 
would be too burdensome, and would 
be inconsistently applied because 
Medicare and Medicaid do not have to 
comply with the auditing requirements, 
whereas providers do. Further, a couple 
of commenters stated that part 2 
programs would be confused in 
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attempting to decipher which 
organizations have Participating 
Agreements with CMS in place, further 
exacerbating the existing compliance 
issues with part 2. A commenter 
requested that SAMHSA clarify whether 
Medicaid program ACOs and external 
quality review organizations (EQRO) are 
considered ‘‘CMS-regulated’’ for the 
purposes of permitted disclosures. The 
commenter suggested that Medicaid 
program entities should be considered 
CMS-regulated entities. 


SAMHSA Response 


A QSO is an individual or entity that 
provides a service to a part 2 program 
consistent with a QSOA (see §§ 2.11, 
Definitions; 2.12(c)(4), Applicability). A 
QSOA is a two-way agreement between 
a part 2 program and the individual or 
entity providing the desired service. 
Therefore, to be a QSO, the contracted 
entity must be providing the service to 
a part 2 program. The QSOA authorizes 
communication only between the part 2 
program and QSO. Third-party payers, 
such as Medicaid, are not considered 
part 2 programs as defined in this rule, 
and are not eligible to have QSO 
through a QSOA. That said, comments 
to the proposed rule raised questions 
that indicate that there may be varying 
interpretations of the current (1987) part 
2 rule’s restrictions regarding the use of 
contractors/subcontractors in contexts 
other than the QSO context, such as the 
sharing of part 2 information by third- 
party payers with contractors and 
subcontractors to carry out activities 
related to audit and evaluation and 
program integrity, and we intend to 
address such scenarios with greater 
clarity in an SNPRM.. As stated under 
§ 2.12(a)(1), Restrictions on disclosures, 
the restrictions on disclosures in these 
regulations apply to any information, 
whether recorded or not, which would 
identify a patient as having or having 
had a substance use disorder either 
directly, by reference to publicly 
available information, or through 
verification of such information by 
another person. Patient identifying 
information that has been rendered non- 
identifiable in a manner that creates a 
very low risk of re-identification may be 
disclosed. 

With regard to the concern that the 
proposed revisions to § 2.53 would be 
burdensome and create confusion when 
part 2 programs have to determine who 
has a Participation Agreement or similar 
documentation in place, CMS-regulated 
entities that, among other requirements, 
are subject to periodic evaluations by 
CMS or its agents, or are required by 
CMS to evaluate participants in the 
ACO or similar CMS-regulated 


organization (including a CMS-regulated 
QE) relative to CMS-defined or 
approved quality and/or cost measures 
should be able to produce evidence that 
they have Participation Agreements or 
similar documentation in place with 
CMS if requested by a part 2 program. 
As to whether Medicaid program 
ACOs and EQROs are considered ‘“‘CMS- 
regulated,” this rule explicitly states 
that ACOs and similar organizations 
regulated by CMS may, subject to 
certain conditions, disclose or require 
participants in the organization to 
disclose part 2-covered information in 
order for the organization to meet CMS 
audit and evaluation requirements. 
Other entities may also be considered 
“CMS-regulated’’ depending on the 
particular circumstances, for example, 
as a result of their direct supervision by 
CMS, the establishment by CMS of 
regulations governing their conduct or 
qualification, or, in the case of Medicaid 
and CHIP-related entities, CMS’ 
approval of state plans or waivers and 
supervision of the state agencies. 
Medicaid program ACOs and EQROs do 
fit within the entities covered by the 
audit and evaluation provisions of the 
part 2 program. SAMHSA may further 
elaborate on this topic in subregulatory 
guidance issued following the 
publication of the final rule. 


Public Comments 


A few commenters provided input on 
SAMHSA’s proposal to permit audit or 
evaluation necessary to meet the 
requirements of a CMS-regulated ACO 
or similar CMS-regulated organization 
(including a CMS-regulated QE), under 
certain conditions. A couple of 
commenters recommended that 
SAMHSA modify part 2 to permit CMS 
to provide all claims with substance use 
disorder treatment information through 
the Claim and Claim Line Feed (CCLF) 
file so patients can receive 
comprehensive, quality treatment and 
programs can operate more efficiently 
and effectively. The commenters 
suggested that because 42 U.S.C. 290dd- 
2(b)(2)(B) permits substance use 
disorder treatment program to disclose 
treatment records without the consent of 
the patient for the purpose of audits or 
evaluation; § 2.53 of the proposed rule 
also permits substance use disorder 
treatment programs to disclose 
treatment records to ACOs or other 
CMS-regulated organizations to allow 
the organizations to meet CMS’s audit 
and evaluation requirements for 
participation; therefore the provision 
could be expanded, or clarified, to also 
permit CMS to disclose substance use 
disorder treatment information to ACOs 
and bundled payment participants for 


audit and evaluation activities. Another 
commenter expressed concern about the 
expansion of the part 2 audit and 
evaluation exception to include ACOs, 
because ACOs are continually 
“auditing” programs as a continual 
process of evaluating and monitoring 
and part 2’s language makes clear that 
an audit or evaluation is a time-limited 
activity that is not intended to permit 
ongoing access to program records. This 
commenter asserted that the part 2 audit 
and evaluation exception should not be 
allowed to result in a practice that 
circumvents the need to obtain a 
patient’s consent to access their 
information. 

One commenter noted that CMS’s 
application of part 2 in its removal of 
substance use disorder treatment 
information from the monthly CCLF, in 
which CMS redacts any claim submitted 
by any provider where a substance use 
disorder is either the principal or 
secondary diagnosis, causes CMS to 
remove claims from the CCLF file that 
are not produced by federally assisted 
substance use disorder treatment 
programs. The commenter urged 
SAMHSA to work with CMS to develop 
a pathway to include substance use 
disorder treatment information in the 
CCLF data file. 


SAMHSA Response 


CMS may disclose patient identifying 
information to a CMS-regulated ACO or 
similar CMS-regulated organization 
(including a CMS-regulated QE) for 
Medicare audit and evaluation purposes 
pursuant to § 2.53(c), which provides 
that “[p]atient identifying information, 
as defined in § 2.11, may be disclosed 
under paragraph (c) of this section to 
any individual or entity for the purpose 
of conducting a Medicare, Medicaid, or 
CHIP audit or evaluation. . . .”’ Neither 
the statute nor the part 2 regulations 
define audit or evaluation. However, 
under this section of the audit and 
evaluation exception, the purpose of the 
disclosure must be to conduct a 
Medicare, Medicaid, or CHIP audit or 
evaluation. This may include audit or 
evaluation activities, such as reviews of 
financial performance or the quality of 
health care services delivered, 
undertaken by the CMS-regulated 
organization itself to review its own 
performance. The exception does not 
cover any activities conducted by ACOs 
that may not be reasonably construed as 
being related to such a purpose. 


Public Comments 


Commenters provided other 
recommendations related to this section. 
A commenter suggested that § 2.53(d) 
should be revised to permit disclosure 
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of patient information to entities that 
have administrative control over 
auditors. Another commenter suggested 
that SAMHSA consider allowing 
“lawful holders” the ability to share 
information for audit and evaluation 
services, with the agreement that the 
service provider must adhere to part 2. 

Another commenter recommended 
that SAMHSA convene a group of state, 
local, and provider representatives to 
develop draft guidance. 


SAMHSA Response 


Regarding the suggestion that 
§ 2.53(d) should be revised to permit 
disclosure of patient information to 
entities that have administrative control 
over auditors, except as provided in 
§ 2.53(c), patient identifying information 
disclosed under this section may be 
disclosed only back to the program from 
which it was obtained and used only to 
carry out an audit or evaluation purpose 
or to investigate or prosecute criminal or 
other activities, as authorized by a court 
order entered under § 2.66. 

As recommended by a commenter, 
SAMHSA plans to develop and publish 
subregulatory guidance regarding the 
application of § 2.53 audit and 
evaluation disclosures after publication 
of this final rule. 


P. Other Public Comments on the 
Proposed Rule 


1. Requests To Extend the Public 
Comment Period 


Public Comments 


Several commenters requested 
extension to the public comment period. 
Commenters stated the complexity and 
importance of the rule warranted 
additional time for reflection and 
comment. A few commenters requested 
that the comment period be extended 
for one year to allow for a more open 
process. A couple of commenters 
suggested that in addition to extending 
the comment period for one year, public 
hearings also be held across the county. 


SAMHSA Response 


While SAMHSA recognizes that the 
issues addressed in the part 2 NPRM are 
complex and important, we concluded 
that the 60-day comment period was 
sufficient to provide the public a 
meaningful opportunity to comment, 
and this conclusion is supported by the 
hundreds of complex and thoughtful 
comments received. Additionally, the 
NPRM was available to the public for a 
preliminary review on the Federal 
Register Web site upon submission of 
the NPRM to the Federal Register, 
which was several days prior to 
publication, thereby providing 


stakeholders additional time prior to the 
publication date. Finally, on June 11, 
2014, SAMHSA held a public listening 
session and, invited through a Federal 
Register notice, general comments, as 
well as comments on six key provisions 
of 42 CFR part 2. 


2. Rulemaking Process 
Public Comments 


One commenter expressed concern 
that SAMHSA did not summarize or 
address specific comments from 
stakeholders who participated in the 
public listening sessions. 

Another commenter said that the part 
2 changes should move forward but 
should be monitored and modified 
accordingly over the next two to three 
years. 


SAMHSA Response 


SAMHSA will undertake further 
rulemaking as necessary and intends to 
respond to issues raised with respect to 
the part 2 regulations, as they have in 
the past, through subregulatory 
guidance. 

SAMHSA considered all comments 
received in the June 2014 public 
Listening Session on the part 2 
regulations. As explained in the NPRM, 
feedback from the Listening Session was 
considered and helped to inform the 
development of the February 2016 
NPRM (see 81 FR 6988, 6993). SAMHSA 
posted all comments received in 
response to the Listening Session 
Federal Register Notice on its Web site: 
http://www.samhsa.gov/about-us/who- 
we-are/laws-regulations/public- 
comments-confidentiality-regulations. 


3. Implementation Timeline and Other 
Barriers to Implementation 


Public Comments 


To allay privacy concerns, a 
commenter said that SAMHSA should 
delay the proposed part 2 changes to 
further develop its Consent2Share 
application and encourage wider 
adoption. Similarly, a commenter 
recommended further testing and 
evaluation on IT solutions before 
issuing part 2 changes. This commenter 
further urged SAMHSA to address these 
issues in the final rule by specifically 
detailing a process for updating the 
Consent2Share tool so that its design 
specifications remain compatible with 
the rapidly advancing and very fluid 
EHR design landscape. 


SAMHSA Response 


SAMHSA declines to accept these 
recommendations to delay publication 
of a final rule pending technology 
developments or Congressional action. 


Technology adoption is an ongoing 
process, and the majority of current EHR 
and HIE applications may not have the 
capability to support the DS4P 
initiative. In addition, paper records are 
still used today in some part 2 programs 
and shared through facsimile (FAX). In 
addition, SAMHSA’s publication of a 
final rule would not prevent further 
Congressional action with respect to 
part 2. 


Public Comments 


One commenter expressed concern 
that applying electronic data 
segmentation in conjunction with 
patient privacy preferences can 
significantly increase the complexity of 
the workflow process and have 
unintended consequences on system 
performance and response times at the 
point of care. The commenter 
recommended that SAMHSA, in 
conjunction with other federal agencies, 
advisory bodies, such as the National 
Committee on Vital and Health 
Statistics (NCVHS), and public and 
private stakeholders should convene 
public discussions to evaluate the 
possibility of data segmentation 
standards in electronic systems, the 
benefits and potential unintended 
consequences that may result, along 
with the associated costs and 
anticipated consumer uses of such 
standards and processes. 

In addition to the technical 
challenges, a commenter said that 
SAMHSA should recognize other 
barriers to implementation of part 2 
changes, including complexity in 
navigating individual state regulations, 
challenges around mapping to clinical 
codes, and lack of a standardized 
service discovery mechanism to ensure 
capability of exchanging systems to 
evaluate the ability to receive and 
interpret a tagged document. 


SAMHSA Response 


SAMHSA recognizes the concerns 
expressed by the commenter; however, 
SAMHSA’s jurisdiction is limited to 
those regulations over which it has 
authority. We note that the part 2 
regulations permit, but do not require, 
data segmentation. 


4. Educational Opportunities 
Public Comments 


Some commenters urged SAMHSA to 
provide trainings/webinars and 
technical assistance after the final rule 
is adopted so that substance use 
disorder providers, other health care 
providers, and patients will understand 
the changes to ensure compliance with 
the rule. Expressing concern that many 
people will not understand the idea of 
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an HIE or a registry, one commenter 
suggested creating paid space for a 
nurse visit to walk a consumer through 
the consent. 

A few commenters encouraged 
SAMHSA to invest in provider and 
patient education efforts on the value of 
integrated care, the role of information 
sharing in enabling integrated care, how 
the consent process works, patient 
rights under 42 CFR part 2, and the 
implications of providing consent to 
share personal health information. 

A commenter encouraged SAMHSA 
to continue its efforts to provide 
guidance as to how part 2’s 
requirements can be incorporated into 
HIE systems, suggesting that many of 
the perceived part 2 issues can be 
resolved by proper education regarding 
the actual requirements and how 
information can be exchanged pursuant 
to part 2 with little, if any, additional 
effort if proper operational practices are 
utilized by health care providers and 
management organizations. 

One commenter suggested that 
SAMHSA establish a consumer 
engagement committee or seek input 
from an existing national consumer 
advisory council to support part 2 
programs in complying with certain 
areas of the rule, such as developing 
user-friendly consent forms and crafting 
educational materials for patients. One 
commenter suggested that SAMHSA 
contract with the Legal Action Center to 
create a webinar or FAQ to provide 
guidance to community health centers 
and other “‘multi-use’’ organizations as 
to the applicability of part 2. 

Another commenter recommended 
that SAMHSA develop educational 
materials targeted at pharmacists 
because of the pharmacy profession’s 
growing role in substance use disorder 
treatment. 


SAMHSA Response 


SAMHSA appreciates these comments 
on educational opportunities and plans 
to address specific commenter requests 
in subregulatory guidance after the 
publication of the final rule. SAMHSA 
will consider additional educational 
activities, such as trainings, webinars, 
and establishing engagement 
committees, should SAMHSA 
determine the need during 
implementation of the final rule. 


5. Increased Enforcement 
Public Comments 


Some commenters urged SAMHSA to 
ensure that part 2 provides for 
meaningful enforcement and penalties, 
with a few reasoning that the rule would 
create new avenues for the exchanges of 


patients’ substance use disorder 
information, especially to other parts of 
the health care system that may have 
little to no experience treating substance 
use disorder or complying with part 2. 
One of these commenters asserted that 
fines imposed for part 2 violations are 
so minimal that they are not a deterrent 
to intentional or accidental violations. A 
commenter suggested that SAMHSA 
adopt the HIPAA penalties contained in 
the HITECH Act and specify that any 
disclosures of information in violation 
of this statute must be excluded from 
evidence and deemed inadmissible for 
use in any administrative, civil, or 
criminal proceeding. 

Urging SAMHSA to review and 
correct the enforcement concerns of the 
underlying statute, one commenter 
argued that the current confidentiality 
obligations have questionable 
enforcement authority because there is 
no express provision in Title 18 
pertaining to the confidentiality of drug 
and alcohol treatment records. Although 
the original part 2 underlying statute set 
forth specific fines, the commenter 
explained that a subsequent revision (by 
Pub. L. 102-321) eliminated the fines 
leaving only a reference to Title 18. 
Moreover, the commenter said that by 
the proposed transfer of the existing 
enforcement authority from FDA to 
SAMHSA, the proposed rule appears to 
remove enforcement authority that 
actually exists to a potential state of 
unenforceability. Similarly, another 
commenter stated that SAMHSA does 
not have legislative authority to impose 
penalties for disclosure. No mention of 
privacy law violation fines, penalties, or 
offenses exist in Title 18. Thus, the 
current confidentiality obligations have 
no enforcement authority. The 
commenter stated that entities receiving 
unauthorized information would likely 
not be subject to penalties unless a 
common law breach of privacy lawsuit 
is filed. 


SAMHSA Response 


The Department of Justice is 
responsible for enforcing violations of 
42 CFR part 2 in accordance with Title 
18 of the United States Code. Title 42 
U.S.C. 290dd-2 provides that “[alny 
person who violates any provision of 
[the] section or any regulation issued 
pursuant to [the] section shall be fined 
in accordance with title 18.” Reports of 
violation of the regulations may be 
directed to the United States Attorney’s 
Office (USAO) for the judicial district in 
which the violation occurs or may be 
directed to SAMHSA for possible 
referral to the relevant USAO. A report 
of any violation of these regulations by 
an opioid treatment program may be 


directed to the relevant USAO as well 
as the SAMHSA office for opioid 
treatment program oversight, pursuant 
to 42 CFR part 8. 


6. Other Miscellaneous Comments on 
the Proposed Rule 


Public Comments 


A commenter suggested that 
SAMHSA revise the title of part 2 to 
“Confidentiality of Patient Records 
Relevant to Substance Use Disorders 
and Associated Behavioral Diagnoses,” 
to ensure person-centered language is 
used. 


SAMHSA Response 


To be consistent with recognized 
classification manuals, current 
diagnostic lexicon, and commonly used 
descriptive terminology, SAMHSA 
proposed to refer to alcohol abuse and 
drug abuse collectively as “substance 
use disorder,” and, for consistency, 
proposed to revise the title of 42 CFR 
part 2 from ‘‘Confidentiality of Alcohol 
and Drug Abuse Patient Records’”’ to 
“Confidentiality of Substance Use 
Disorder Patient Records.”’ 


Public Comments 


Some commenters made specific 
suggestions or requested clarification 
regarding parts of the part 2 regulations 
that were not the subject of the 
proposed changes in the NPRM. For 
example, commenters addressed §§ 2.14 
(Minor patients), 2.20 (Relationship to 
state laws), and 2.21 (Relationship to 
federal statutes protecting research 
subjects against compulsory disclosure 
of their identity). 


SAMHSA Response 


SAMHSA acknowledges commenters’ 
questions and suggestions relating to all 
aspects of the part 2 regulations. 
However, for purposes of this final rule, 
SAMHSA generally considered 
comments submitted on provisions for 
which changes were not proposed in the 
February 2016 NPRM to be outside of 
the scope of this rulemaking. SAMHSA 
will take such comments and 
recommendations under advisement 
and may issue subregulatory guidance 
in the future to address some of these 
issues brought up by commenters. 


Public Comments 


Another commenter also urged 
SAMHSA to work with CMS to ensure 
that when proper criteria are met, such 
as through a QSOA and/or a signed 
consent form, patient substance use 
claim information is available to ACOs 
through their CCLF files. Asserting that 
it is a major blind spot in the ability of 
an ACO to manage total care if it does 
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not have data on substance use disorder 
data, a commenter encouraged 
SAMHSA to work with CMS on ways to 
effectively manage substance use 
disorder care within the administration 
of the ACO program. One commenter 
suggested that SAMHSA work with 
federal agencies, states, localities, and 
providers to identify the cost/burden of 
the rule on entities and professionals. 
The commenter also recommended that 
SAMHSA work with the CMS and the 
Office of the National Coordinator for 
Health Information Technology (ONC) 
to align the rule with guidance 
permitting the HITECH enhanced 
funding for administrative costs to other 
providers. 


SAMHSA Response 


SAMHSA will continue to work with 
CMS and its other federal partners to 
ensure the effective and timely 
implementation of the part 2 final rule. 


Public Comments 


Because a state provides health care, 
including federally funded substance 
use disorder treatment programs, to 
inmates in the state jail system, a 
commenter stated that the part 2 
regulations impact the methods by 
which care is coordinated for inmates 
and urged SAMHSA to consider part 2’s 
impact on incarcerated populations. 


SAMHSA Response 


SAMHSA considered how the 
regulations would impact part 2 
programs and lawful holders of patient 
identifying information, as well as other 
stakeholders. All part 2 programs and 
other lawful holders of patient 
identifying information must comply 
with part 2. Ifa jail or prison meets the 
definition of a part 2 program, it would 
be required to comply with part 2. 


Public Comments 


One commenter stated that there 
should be an option for the patient to 
have the ability to remove their 
substance use disorder history from 
their medical record after a ten-year 
minimum time period. 


SAMHSA Response 


Although SAMHSA is not prescribing 
any specific retention period, the 
expectation is the both paper and 
electronic records would comply with 
applicable federal, state, and local 
retention laws. 


Public Comments 


A commenter requested that 
SAMHSA provide a description of 42 
CFR part 2-covered entities similar to 
the designation under HIPAA. 


SAMHSA Response 


SAMHSA may address applicability 
in subregulatory guidance or in 
subsequent rulemaking. 


VI. Rulemaking Analyses 


A. Paperwork Reduction Act 


Under the Paperwork Reduction Act 
of 1995 (PRA), agencies are required to 
provide a 60-day notice in the FR and 
solicit public comment before a 
collection of information requirement is 
submitted to the Office of Management 
and Budget (OMB) for review and 
approval. We provided for this comment 
period as part of the NPRM. The part 2 
information collections are approved 
under OMB Control No. 0930-0092, and 
SAMHSA will shortly submit the 
changes associated with this rule to 
OMB for review. 

This rule includes changes to 
information collection requirements, 
that is, reporting, recordkeeping or 
third-party disclosure requirements, as 
defined under the PRA (5 CFR part 
1320). Some of the provisions involve 
changes from the information 
collections set out in the previous 
regulations. Information collection 
requirements are: (1) Section 2.13(d)— 
Disclosure: Requires entities named by 
patients using general designation under 
§ 2.31(a)(4)(iv)(C) to provide a list of 
entities to which the patient’s 
information has been disclosed to 
participants pursuant to the general 
designation, (2) Section 2.22— 
Disclosure: Requires each program 
notify each patient that federal law and 
regulations protect the confidentiality of 
substance use disorder patient records 
and provide a written summary of the 
effect of this law and these regulations, 
(3) Section 2.51—Recordkeeping: This 
provision requires the program to 
document a disclosure of a patient 
record to authorized medical personnel 
in a bona fide medical emergency as 
defined in § 2.51. The regulation is 
silent on retention period for keeping 
these records as this will vary according 
to state laws. It is expected that these 
records will be kept as part of the 
patients’ health records. The major 
change from current (1987) regulations 
is the list of disclosures requirement at 
Section 2.13(d). SAMHSA proposed that 
entities named on a consent form that 


disclose patient identifying information 
to their participants under the general 
designation must provide patients, upon 
request, a list of entities to which their 
information has been disclosed 
pursuant to a general designation (i.e., 
list of disclosures). Impact of this 
provision is noted below. SAMHSA 
notes that entities are not required to 
use the general designation permitted 
under § 2.31(a)(4)(iii)(B)(3)(). 

Under the PRA, the time, effort, and 
financial resources necessary to meet 
the information collection requirements 
referenced in this section are to be 
considered in rulemaking. The NPRM 
solicited comments on PRA issues. 
Commenters did not raise concerns 
regarding the burden for information 
collection requirements for the 
recordkeeping and notification 
provisions above. Though commenters 
expressed concern about some aspects 
of the list of disclosures requirements, 
these comments did not suggest that the 
burden of information collection would 
increase for 42 CFR part 2-compliant 
entities. Indeed, one commenter noted 
that current practice for many facilities 
to maintain both paper and electronic 
records may be both burdensome and 
inefficient. By promoting use of EHRs, 
changes in this rule may help to 
improve efficiency for providers. Some 
commenters also hypothesized that 
complying with the list of disclosures 
requirement would require such steps as 
developing a tracking system; or manual 
review or audit of all records; and 
mailing of letters through U.S. mail. 
Entities should already be collecting 
and retaining information needed to 
comply with the list of disclosures 
requirement. The final rule does not 
impose requirements to manually 
review all records, mail letters using the 
U.S. Postal Service or develop a tracking 
system specifically to comply with the 
list of disclosures provisions. For 
instance, we note below that entities 
could comply with the List of 
Disclosures requirement by either 
collecting this information 
electronically by using audit logs to 
obtain the required information or by 
keeping a paper record. Similarly, we 
point out that list of disclosures may be 
transmitted through such methods as 
mail or email or through other means 
preferred by the patient. We discuss the 
list of disclosures requirements further 
in the impact analysis section below. 

Annual burden estimates for these 
requirements are summarized in the 
table below: 
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TABLE 2—ANNUAL BURDEN ESTIMATES 

Annual Responses Total Hours 
per Total hour Hourly wage 
sans ies None ent responses response burden cost Total cost 
Disclosures 
42° CER 2:13:(d), ciency eanutanucnaie 119,548 1 19,548 24.15 81,124 3$36.9175 $2,995,000 
42 CFR :2:22 fia ones 412,034 155 5 1,861,693 .20 372,338.6 640.26 14,990,000 
Recordkeeping 

12,034 2 24,068 167 4,019 734.16 137,000 
BOT 582 | viirecseesteerseenaeses 1,905,309 457,482 18,123,000 





























1The number of entities required to generate a list of disclosures based on the number of estimated patient requests. Patient requests are based the total number 
of annual treatment admissions from SAMHSA’s 2010-2012 Treatment Episode Data Set (TEDS) (see footnote 5). The estimated patient requests equal the average 
of the total number of requests for a 0.1 percent request rate and a 2 percent request rate. SAMHSA notes that this estimate reflects the number of patient requests 
rather than the number of impacted entities as some entities may receive more than one request. 

2 The estimated time for developing a list of disclosures is 4 hours for entities collecting the information electronically using an audit log and 3 hours for entities that 
produce such a list from paper records. Because 90 percent of entities are estimated to collect the information electronically using an audit log and 10 percent are es- 
timated to use paper records, the average weighted time to develop a list of disclosures is 3.9 hours [(0.9 x 4 hours) + (0.1 x 3 hours)]. Including the estimated 15 
minutes to prepare each list of disclosures for mailing or transmitting, the total estimated time for providing a patient a list of disclosures is 4.15 hours (3.9 hours + 
0.25 hours). 

3The weighted hourly rate for health information technicians, medical technicians and administrative staff who will be preparing the list of disclosures. The hourly 
rate is weighted to reflect the fact that health information and medical technicians, who will be generating the list of disclosures, have a higher wage rate than admin- 
istrative staff and will contribute more hours to generating the list of disclosures. Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Sta- 
tistics [accessed June 3, 2015], Standard Occupations Classification codes (29-2071, 31-9092) [www.bis.gov/oes/|. The hourly wage rate was multiplied by 2 to ac- 
count for benefits and overhead costs. 

4The number of publicly funded alcohol and drug facilities based on SAMHSA’s 2013 National Survey of Substance Abuse Treatment Services (N-SSATS). The 
estimated annual number of respondents, 12,034, is based on N-SSATS data and reflects facilities receiving federal funding. However, under N-SSATS an organiza- 


tion may complete survey responses for multiple facilities. 

5The average number of annual treatment admissions from SAMHSA’s 2010-2012 TEDS. 

6 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations Classification code 
(21-1011) [www.bls.gov/oes/. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs. 

7 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Employment Statistics [accessed July 16, 2015], Standard Occupations Classification code 
(43-0000) [www.bis.gov/oes/|. The hourly wage rate was multiplied by 2 to account for benefits and overhead costs. 

8 The combined total of the number of publicly funded alcohol and drug facilities and the number of entities required to generate a list of disclosures. 


As described in greater detail in 
Section VI.B, Regulatory Impact 
Analysis, the respondents for the 
collection of information under § 2.22 
and 2.51 are publicly (federal, state, or 
local) funded, assisted, or regulated 
substance use disorder treatment 
programs. The estimate of the number of 
such programs (respondents) is based on 
the results of the 2013 N-SSATS, and 
the average number of annual total 
responses is based on 2010-2012 
information on patient admissions 
reported to the Treatment Episode Data 
Set (TEDS), approved under OMB 
Control No. 0930-0106 and OMB 
Control No. 0930-0335. 

The respondents for the collection of 
information under § 2.13(d) are entities 
named on the consent form that disclose 
information to their participants 
pursuant to the general designation. 
These entities primarily would be 
organizations that facilitate the 
exchange of health information (e.g., 
HIEs) or coordinate care (e.g., ACOs, 
CCOs, and CPCMHs), but other 
organizations, such as research 
institutions, also may disclose patient 
identifying information to their 
participants (e.g., clinical researchers) 
pursuant to the general designation on 
the consent form. Because there are no 
definitive data sources for this potential 
range of organizations, we are not 
associating requests for a list of 
disclosures with any particular type of 


organization. Consequently, the number 
of organizations that must respond to 
list of disclosures requests is based on 
the total number of requests each year. 


B. Regulatory Impact Analysis 


1. Public Comments on Notice of 
Proposed Rulemaking Regulatory 
Impact Analysis 


a. Support for Cost Estimates 


Public Comments 


SAMHSA received roughly 376 
comments on the proposed rule. 
However, relatively few comments 
focused on the Regulatory Impact 
Analysis. We respond to these 
comments below and have made 
changes in our analysis, when 
appropriate, to reflect these comments. 

A few commenters suggested that the 
estimated costs outlined by SAMHSA in 
the proposed rule are in line with actual 
costs. For instance, one commenter 
suggested that the estimated total cost of 
$239 million over 10 years would not be 
unduly burdensome and would improve 
patient care and safety. A commenter 
stated that costs would be minimal for 
integrating the requirement properly to 
sanitize and dispose of records into 
training and instruction. Another 
commenter stated that the costs related 
to modifying release forms and training 
staff would be absorbed by 
organizations and would not impact 
business processes. Explaining that in 


order to reflect the revision in title of 42 
CFR part 2, a modification of the printed 
and on-line versions of applicable CFR 
Titles would be necessary, a commenter 
concluded that because of regular 
updates to CFRs, the incorporation of 
amendments made as part of this rule 
should not result in a significant 
economic impact. 


SAMHSA Response 


SAMHSA acknowledges and 
appreciates the comments received that 
expressed support for the cost estimates 
in the NPRM. Though SAMSHA does 
not attempt in this rule to quantify 
benefits, it is important to note that 
updates to 42 CFR part 2 may result in 
long-term cost savings as well due to 
improved care coordination and 
integration and more efficient use of 
data for research and performance 
improvement purposes. 


b. Assertions That SAMHSA 
Underestimated Costs 


Public Comments 


Some commenters generally asserted 
that the compliance and 
implementation costs were 
underestimated. One commenter 
suggested that cost effectiveness of 
complying with the proposed regulation 
will impact members and patients 
because of the additional costs 
associated with implementation (e.g., 
outreach and education, changes to 
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consent forms), which undermines care 
coordination and effective delivery of 
services. Another commenter suggested 
that the projected costs of complying 
with part 2 should include costs for 
other institutions that are affected with 
re-disclosure of the provision; costs to 
individual practitioners or health 
organizations with few clinicians that 
fall under part 2; vendor-related costs; 
costs for software development and 
upgrades should be added to the costs 
of electronic record purchase and 
maintenance; cost to HIE; and costs to 
hire administrative staff. 

A few commenters suggested that the 
estimated $8,000 cost per facility to 
implement consent management was 
too low, failing to reflect fully 
development, testing and process costs. 
One commenter suggested that the 
estimated $8,000 cost per facility to 
implement consent management likely 
does not consider vendor-related costs 
such as development, testing, training, 
adoption and process modifications that 
may need to occur, only the cost of the 
infrastructure investment. Commenters 
urged SAMHSA and federal partners to 
consider funding HIT adoption by 
behavioral health providers. Another 
commenter stated that the proposed rule 
underestimated the cost of scaling 
efforts to integrate DS4P and 
Consent2Share, including upgrades and 
iterations across EHR products. 
Commenters also suggested SAMHSA 
modify its DS4P efforts to reflect 
updated 42 CFR part 2 requirements. 
Lastly, a commenter suggested that the 
estimate of $8,000 to comply with the 
proposal underestimates the costs for 
existing pharmacy management systems 
to add new functionality and 
applications and does not include other 
software or security requirements, 
training, or other implementation costs 
associated with the proposed rule. 
Another commenter generally suggested 
that the estimated cost burden of 
transitioning to a new consent form will 
be greater than proposed in the 
proposed rule. 

Several commenters mentioned other 
specific areas in which SAMHSA 
underestimated costs. One commenter 
suggested that the costs estimated 
related to EHR customizations are 
underestimated because there is no 
current standard interoperability within 
EHRs that address part 2 information. 
Another commenter also shared their 
own experience in which they estimated 
a cost of $30,000 to comply with 42 CFR 
part 2 when including 2 substance use 
specialists as part of an integrated 
treatment model using an electronic 
health record. This commenter asserted 
based on their own experience that if 


small entities attempt to develop 
integrated substance use disorder 
treatment programs they may face 
similar costs, including information 
technology time and efforts to modify 
EHRs to include restrictions on sharing 
of 42 CFR part 2 information in an 
integrated setting prohibitive. Another 
commenter stated that time, resources 
and training would be required to 
implement proposed changes to §§ 2.12, 
2.31, and 2.32, and that personnel and 
financial constraints are common within 
the health care industry. The 
commenter estimated that the ability to 
adapt currently used electronic health 
records to segregate certain patient 
information will also take considerable 
effort and time. A commenter stated that 
the proposed cost analysis associated 
with staff training is inaccurate because 
it assumes that only substance use 
disorder counselors would need training 
when, in actuality, other fields would 
also need to be trained because they 
could potentially become lawful holders 
of the patient information (e.g., social 
work, psychology, medicine, managed 
care, HIE, research organizations). The 
commenter added that additional work 
will be needed to redact patient records 
to be in compliance with the data 
sharing elements related to information 
that could identify a patient as a 
substantive abuse disorder patient. A 
commenter stated that the cost to 
organizations to comply with the 
requirement for U.S. mail transmissions 
will be significant. 


SAMHSA Response 


Though commenters suggested 
anecdotally that SAMHSA 
underestimated the burden of 42 CFR 
part 2-compliance, SAMHSA notes the 
availability of data segmentation tools 
such as Consent2Share, an open source 
tool for consent management that is 
compliant with 42 CFR part 2. As noted 
above (in Section V.J.1.c), SAMHSA will 
be shortly releasing an updated version 
of Consent2Share with improved 
functionality and ability to meet the list 
of disclosures requirements. Provided 
that a facility already is using electronic 
health records and can partner with a 
health information exchange using 
Consent2Share or similar software, 
SAMHSA believes based on current 
efforts to pilot an updated version of 
Consent2Share that a cost of between 
$6,000 and $10,000 is reasonable. At the 
individual clinic level, initial set-up, 
training and testing are expected to 
constitute the main expenses. D4SP, 
Consent2Share, and similar tools make 
it feasible for entities to comply with 
updated 42 CFR part 2 requirements at 
reasonable cost. 


While we acknowledge comments 
that entities other than those directly 
subject to this rule may be impacted by 
its provisions, including vendors of EHR 
products, such impacts are outside the 
scope of the regulation. We do not 
mandate vendors to perform additional 
activities. Nonetheless, SAMHSA will 
monitor such impacts and, to the extent 
feasible, work with stakeholders and 
federal partners to develop fact sheets 
and other materials to assist in outreach 
to patients and others about changes 
made in this rule. Likewise, while 
SAMHSA is unable to directly fund 
updates to EHRs, SAMHSA continues to 
work closely with ONC and others to 
ensure inclusion of behavioral health 
providers in ongoing information 
technology programs (See http:// 
www.samhsa.gov/health-information- 
technology/samhsas-efforts; https:// 
www.healthit.gov/policy-researchers- 
implementers/behavioral-health). 

We acknowledge that the cost of 
updating consent forms may be greater 
than we had proposed and have made 
changes to our cost estimates in this 
final rule to reflect the need to update 
forms to meet new requirements. We 
note that most of these costs may only 
need to be incurred once and in the past 
some organizations have made sample 
template forms and materials available 
(See e.g., http://lac.org/resources/ 
substance-use-resources/confidentiality- 
resources/sample-forms-confidentiality/ 
). SAMHSA may, at a future time, 
develop sample templates and forms to 
ease compliance costs. 


c. Other Comments on Costs 
Public Comments 


Some commenters said existing 
functionalities within EHR systems and 
consent management tools do not easily 
separate or redact substance use 
disorder information from general 
medical information when such systems 
are shared across an integrated health 
system. Similarly, commenters 
expressed concern that the proposed 
rule could have the opposite effect of its 
intended purpose by causing HIEs to 
exclude part 2 information from 
information exchanges entirely since 
most HIEs and EHRs today do not 
support data segmentation. Asserting 
that the proposed part 2 changes would 
require HIEs to create an architecture for 
data management that provides for the 
segmentation of substance use disorder 
and general behavioral health data from 
physical health care data, including a 
way to have consent operate differently 
in each of the environments, one 
commenter asserted that this is a costly 
challenging administrative burden that 
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does nothing to promote the sharing of 
information between all necessary 
providers for the integration of 
coordination of care. 

A commenter suggested that the 
financial burden of the proposed rule 
would vary depending on the size or 
complexity of the covered entity. 

Another commenter asserted that the 
rule should not be adopted because it 
would result in increased health care 
costs. The commenter stated that 
SAMHSA is not able to estimate 
additional costs that are likely to occur 
when adding sensitive substantive 
abuse disorder treatment information of 
patients to electronic health information 
systems without patient consent (e.g., 
additional security, costs related to 
breaches, class action lawsuits for 
breached information, and loss of 
business due to breaches). The 
commenter concluded that, because 
these costs do not provide additional 
substance use disorder or health care 
services, and instead remove dollars 
from health care services, the proposed 
rule is in conflict with SAMHSA’s 
proposed goal of reducing unnecessary 
health care costs. 


SAMHSA Response 


SAMHSA agrees that costs may vary 
based on an institution’s size, 
complexity and patient population 
served. However, we anticipate that 
over time compliance costs will drop 
significantly as institutions implement 
initial compliance efforts. SAMHSA 
notes that EHRs already are widely used 
in many health care settings with no 
evidence of class action lawsuits, loss of 
business or other speculative impacts 
(see e.g., http://dashboard.healthit.gov/ 
quickstats/quickstats.php). Though 
SAMHSA is concerned about health 
care costs, the use of EHRs is likely both 
to improve care and reduce costs over 
time. Changes made in this rule will 
help to support EHR adoption and 
integration of care. Though in general 
EHR adoption among behavioral health 
providers lags behind that of other 
health care providers, forthcoming N— 
SSATS data reflect that more than 25 
percent of surveyed substance use 
disorder treatment facilities used EHRs 
only and more than half use EHRs and 
paper-based records. Such growing 
adoption by substance use disorder 
treatment facilities reflects that EHR use 
is consistent with good quality of care 
and 42 CFR part 2 compliance. 


2. Statement of Need 


This final rule reflects changes in the 
health care system and behavioral 
health, such as the increasing use of 
electronic health records and drive 


toward greater integration of physical 
and behavioral health care. Despite 
efforts to enhance integration and 
coordination of care, however, it 
remains important to ensure persons 
seeking treatment for substance use 
disorders can remain confident as to the 
safeguarding of their medical 
information. This rule updates 42 CFR 
part 2 to balance these important needs. 


3. Overall Impact 


SAMHSA examined the impacts of 
this final rule as required by Executive 
Order 12866 on Regulatory Planning 
and Review (September 30, 1993), 
Executive Order 13563 on Improving 
Regulation and Regulatory Review 
(January 18, 2011), the Regulatory 
Flexibility Act (RFA) (September 19, 
1980, Pub. L. 96-354), Section 1102(b) 
of the Social Security Act, section 202 
of the Unfunded Mandates Reform Act 
of 1995 (March 22, 1995; Pub. L. 104— 
4), Executive Order 13132 on 
Federalism (August 4, 1999) and the 
Congressional Review Act (5 U.S.C. 
804(2)). Executive Orders 12866 and 
13563 direct agencies to assess all costs 
and benefits of available regulatory 
alternatives and, if regulation is 
necessary, to select regulatory 
approaches that maximize net benefits 
(including potential economic, 
environmental, public health and safety 
effects, distributive impacts, and 
equity). Section 3(f) of Executive Order 
12866 defines a “significant regulatory 
action”’ as an action that is likely to 
result in a rule: (1) Having an annual 
effect on the economy of $100 million 
or more in any one year, or adversely 
and materially affecting a sector of the 
economy, productivity, competition, 
jobs, the environment, public health or 
safety, or state, local or tribal 
governments or communities (also 
referred to as “economically 
significant’); (2) creating a serious 
inconsistency or otherwise interfering 
with an action taken or planned by 
another agency; (3) materially altering 
the budgetary impacts of entitlement 
grants, user fees, or loan programs or the 
rights and obligations of recipients 
thereof; or (4) raising novel legal or 
policy issues arising out of legal 
mandates, the President’s priorities, or 
the principles set forth in the Executive 
Order. 

A regulatory impact analysis must be 
prepared for major rules with 
economically significant effects ($100 
million or more in any one year). This 
tule does not reach the economic 
threshold and thus is not considered to 
be an economically significant rule. 
However, because this rule raises novel 
policy issues arising out of legal 


mandates, the rule is considered ‘“‘a 
significant regulatory action,” this 
regulatory impact analysis has been 
prepared, and the rule has been 
reviewed by OMB. 

When estimating the total costs 
associated with changes to the 42 CFR 
part 2 regulations, we assumed five sets 
of costs: updates to health IT systems 
costs, costs for staff training and updates 
to training curriculum, costs to update 
patient consent forms, costs associated 
with providing patients a list of entities 
to which their information has been 
disclosed pursuant to a general 
designation on the consent form (i.e., 
the List of Disclosures requirement), and 
implementation costs associated with 
the List of Disclosures requirements. We 
assumed that costs associated with 
modifications to existing health IT 
systems, staff training costs associated 
with updating staff training materials, 
and costs to update consent forms 
would be one-time costs the first year 
the final rule is in effect and would not 
carry forward into future years. Staff 
training costs other than those 
associated with updating training 
materials were assumed to be ongoing 
annual costs to part 2 programs, also 
beginning in the first year that the final 
rule is in effect. The List of Disclosures 
costs were assumed to be ongoing 
annual costs to entities named on a 
consent form that disclose patient 
identifying information to their 
participants under the general 
designation. In the NPRM, SAMHSA 
proposed to require non-treating 
providers to implement the List of 
Disclosures requirement at any time, but 
they cannot use the general designation 
without being able to provide a List of 
Disclosures. Therefore, we assumed that 
starting in year 1 ten percent of entities 
would decide to implement each year, 
resulting in 100 percent of entities 
implementing by year 10. We note that 
it is possible that some entities will 
never implement this requirement and 
choose to forego use of the general 
designation. 

We estimated, therefore, that in the 
first year that the final rule is in effect, 
the total costs associated with updates 
to 42 CFR part 2 will be about $70, 
691,000. In year two, we estimate that 
costs will be roughly $17,680,000 and 
increase annually as a larger share of 
entities implement List of Disclosures 
requirements and respond to disclosure 
requests. Over the 10-year period of 
2016-2025, the total undiscounted cost 
of the part 2 changes will be about $241 
million in 2016 dollars. When future 
costs are discounted at 3 percent or 7 
percent per year, the total costs become 
approximately $217, 586,000 or 
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$193,098,000, respectively. These costs 
are presented in the tables below. 


TABLE 3—TOTAL COST OF 42 CFR PART 2 REVISIONS 


[Note: Numbers may not add due to rounding] 


[Note that all costs presented in this analysis are rounded to avoid communicating inaccurate levels of precision] 














Year Staff training costs sae teat List of disclosures Health IT costs Total costs 
[2016 dollars] 

(A) (B) (C) (D) (E) 

$15,521,000 $2,104,000 $4,930,000 $48,136,000 $70,691,000 
12,438,000 5,242,000 0 17,680,000 
12,438,000 0 5,554,000 0 17,992,000 
12,438,000 0 5,866,000 0 18,304,000 
12,438,000 0 6,178,000 0 18,616,000 
12,438,000 0 6,490,000 0 18,928,000 
12,438,000 0 6,802,000 0 19,240,000 
12,438,000 0 7,114,000 0 19,552,000 
12,438,000 0 7,426,000 0 19,864,000 
12,438,000 0 7,738,000 0 20,176,000 

127,463,000 2,104,000 63,338,000 48,136,000 241,040,000 























TABLE 4—TOTAL COST OF 42 CFR PART 2 REVISIONS—ANNUAL DISCOUNTING 
[Note: Numbers may not add due to rounding] 





























Total with 3% an- | Total with 7% an- 
Year Total costs nual discounting nual discounting 
[2016 dollars] 

(E) (F) (G) 

$70,691,000 $70,691,000 $70,691,000 

17,680,000 17,165,000 16,523,000 

17,992,000 16,959,000 15,715,000 

18,304,000 16,751,000 14,941,000 

18,616,000 16,540,000 14,202,000 

18,928,000 16,327,000 13,495,000 

19,240,000 16,113,000 12,820,000 

19,552,000 15,897,000 12,176,000 

19,864,000 15,681,000 11,561,000 

20,176,000 15,463,000 10,974,200 

241,040,000 217,586,000 193,098,000 

supeeivivsiiteeetenectedarviees 25,507,717.01 27,492,811.02 











Note: Numbers may not add due to rounding. 


The costs associated with the 
proposed revisions stem from staff 
training and updates to training 
curriculum, updates to patient consent 
forms, compliance with the List of 
Disclosures requirement (including 
implementation costs), and updates to 
health IT infrastructure for information 
exchange. Based on data from the 2013 
N-SSATS, we estimated that 12,034 
hospitals, outpatient treatment centers, 
and residential treatment facilities are 
covered by part 2. N-SSATS is an 
annual survey of U.S. substance use 
disorder treatment facilities. Data is 
collected on facility location, 
characteristics, and service utilization. 
Not all treatment providers included in 
N-SSATs are believed to be under the 
jurisdiction of the part 2 regulations. 


The 12,034 number is a subset of the 
14,148 substance use disorder treatment 
facilities that responded to the 2013 N— 
SSATS, and includes all federally 
operated facilities, facilities that 
reported receiving public funding other 
than Medicare and Medicaid, facilities 
that reported accepting Medicare, 
Medicaid, TRICARE, and/or Access to 
Recovery (ATR) voucher payments, or 
were SAMHSA-certified Opioid 
Treatment Programs. If a facility did not 
have at least one of these conditions, it 
was interpreted not to have received any 
federal funding and, therefore, not 
included in the estimate. The estimated 
annual number of respondents, 12,034, 
is based on N—-SSATS data and reflects 
facilities receiving federal funding. 
However, under N-SSATS an 


organization may complete survey 
responses for multiple facilities it 
oversees. Thus, an organization with 
three facilities may complete three 
separate surveys. 


If an independently practicing 
clinician does not meet the 
requirements of paragraph (1) of the 
definition of Program they may be 
subject to 42 CFR part 2 if they 
constitute an identified unit within a 
general medical facility which holds 
itself out as providing, and provides, 
substance use disorder diagnosis, 
treatment, or referral for treatment or if 
their primary function in the facility or 
practice is the provision of such services 
and they are identified as providing 
such services. Due to data limitations, it 
was not possible to estimate the costs 


Federal Register/Vol. 82, No. 11/Wednesday, January 18, 2017/Rules and Regulations 


6111 








for independently practicing providers 
covered by part 2 that did not 
participate in the 2013 N-SSATS. For 
example, data from American Board of 
Addiction Medicine (ABAM) provides 
the number of physicians since 2000 
who have active ABAM certification. 
However, there is no source for the 
number of physicians who have not 
participated in the ABAM certification 
process. In addition, it is not possible to 
determine which ABAM-certified 
physicians practice in a general medical 
setting rather than in a specialty 
treatment facility that was already 
counted in the N-SSATS data. 

Several provisions in the NPRM 
referenced ‘‘other lawful holders of 
patient identifying information” in 
combination with part 2 programs. 
These other lawful holders must comply 
with part 2 requirements with respect to 
information they maintain that is 
covered by part 2 regulations. However, 
because this group could encompass a 
wide range of organizations, depending 
on whether they received part 2 data via 
patient consent or as a result of one of 
the limited exceptions to the consent 
requirement specified in the regulations, 
we are unable to include estimates 
regarding the number and type of these 
organizations and only included part 2 
programs in this analysis. 

In addition to the part 2 programs 
described above, SAMHSA proposed 
that entities named on a consent form 
that disclose patient identifying 
information to their participants under 
the general designation must provide 
patients, upon request, a list of entities 
to which their information has been 
disclosed pursuant to a general 
designation (i.e., list of disclosures). 
These entities primarily would include 
organizations that facilitate the 
exchange of health information (e.g., 
HIEs), and may also include 
organizations responsible for care 
coordination (e.g., ACOs, CCOs, and 
CPCMHs). The most recent estimates of 
these types of entities are 67 functional, 
publicly funded HIEs and 161 
functional, privately funded HIEs in 
2013.1 As of January 2015, there were an 
estimated 744 ACOs covering 
approximately 23.5 million 
individuals.? Finally, the National 
Committee for Quality Assurance 
(NCQA) recently noted that there are 
now more than 10,000 NCQA- 
recognized CPCMHs.* While these types 
of organizations were the primary focus 
of this provision on the consent form, 
other types of entities, such as research 
institutions, may also disclose patient 
identifying information to their 
participants (e.g., clinical researchers) 
pursuant to the general designation on 


the consent form. Because there are no 
definitive data sources for this potential 
range of organizations, we are not 
associating requests for lists of 
disclosures with any particular type of 
organization. We, instead, estimate the 
number of organizations that must 
respond to list of disclosures requests 
based on the total number of requests 
each year. 


a. Direct Costs of Implementing the 
Proposed Regulations 


There is no known baseline estimate 
of the current costs associated with 42 
CFR part 2-compliance. However, as 
reflected by commenters who requested 
alignment between HIPAA and 42 CFR 
part 2, HIPAA authorization and 
notification requirements have 
similarities to requirements of 42 CFR 
part 2 (see http://www.hhs.gov/hipaa/ 
for-professionals/privacy/index.html). 
Instead, therefore, in the absence of data 
and studies specifically focused on 
compliance with 42 CFR part 2, 
SAMHSA has estimated these costs 
based on a range of published costs 
associated with HIPAA implementation 
and compliance.45 


i. Staff Training 


Because SAMHSA lacks specific data 
regarding the cost of staff training to 
comply with 42 CFR part 2, SAMHSA 
has examined analogous HIPAA 
implementation costs. A Standard 
HIPAA training that meets or exceeds 
the federal training requirements is, on 
average, one hour long.® Therefore, we 
also estimated one hour of training per 
staff to achieve proficiency in the 42 
CFR part 2 regulations. To estimate the 
labor costs associated with staff training, 
we averaged the average hourly costs for 
counseling staff in specialty treatment 
centers ($20.33 7), hospital treatment 
centers ($21.80 8), and solo practice 
offices ($24.67 /%/). The resulting average 
wage rate was $22.27 per hour. In order 
to account for benefits and overhead 
costs associated with staff time, we 
multiplied the average hourly wage rate 
by two. These estimates were only for 
training costs associated with 
counseling staff, who we assume will 
have primary responsibility for 
executing the functions associated with 
the part 2 revisions. 

It is important as well to note that 
many current staff already have 
familiarity with current (1987) 42 CFR 
part 2 requirements. With regard to 
training materials, most part 2 programs 
are assumed to already have training 
curricula in place that covers current 
(1987) 42 CFR part 2 regulations, and, 
therefore, these facilities would only 
need to update existing training 


materials rather than develop new 
materials. Part 2 entities may determine 
the content of this training. The 
American Hospital Association 
estimated that the costs for the 
development of Privacy and 
Confidentiality training, which would 
include the development of training 
materials and instructor labor costs, was 
$16 per employee training hour in 
2000./4° Because we assumed that part 
2 programs would be updating existing 
rather than developing entirely new 
training materials, we estimated the cost 
of training development to be one-half 
of the cost of developing new materials, 
or $8 per employee. Adjusted for 
inflation,“”/ training development costs 
in 2016 would be $11.04 per employee. 

Using SAMHSA’s 2010-2012 TEDS 
average annual number of treatment 
admissions (n=1,861,693) as an estimate 
of the annual number of patients at part 
2 programs and calculated staffing 
numbers based on a range of counseling 
staff-to-client ratios (i.e., 1 to 10 /27/ and 
1 to 5/73] ). Based on these assumptions, 
staff training costs associated with part 
2 patient consent procedures were 
projected to range from $10.3 million to 
$20.7 million in 2016. We averaged the 
two estimated costs for staff training to 
determine the final overall estimate of 
$15,521,000. We assumed the costs 
associated with updating training 
materials will be a one-time cost. 
Therefore, in subsequent years, we 
assumed the costs associated with staff 
training would be a function of the 
average hourly wage rate (multiplied by 
two to account for benefits and 
overhead costs) and the estimated 
number of staff (developed based on the 
same two staff-to-client ratios described 
above multiplied by estimated patient 
counts). Staff training costs associated 
with part 2 revisions were projected to 
range from $8.3 million to $16.6 million 
after 2016. We averaged the two 
estimated costs for staff training to 
determine the final overall estimate of 
$12,438,000. 


ii. Updates to Consent Forms 


Updates to the 42 CFR part 2 
regulations will need to be reflected in 
patient consent forms. As there is no 
literature to date on costs to update 
forms for 42 CFR part 2, we examined 
results from a 2008 study from the Mayo 
Clinic Health Care Systems !14! that 
reported actuarial costs for HIPAA 
implementation activities. These costs 
were about $1 per patient visit. 
Adjusted for inflation, costs associated 
with updating the patient consent forms 
in 2016 would be $1.13 per patient visit. 
We used the average number of 
substance abuse treatment admissions 
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from SAMHSA’s 2010-2012 TEDS as 
our estimate of the number of clients 
treated on an annual basis by part 2 
facilities. The total cost burden 
associated with updating the consent 
forms to reflect to the updated 42 CFR 
part 2 regulations would be 
approximately $2,104,000 (1,861,693 * 
$1.13).44/ 


iii. List of Disclosures Costs 


The proposed part 2 regulations allow 
patients who have consented to disclose 
their identifying information using a 
general designation to request a list of 
entities to which their information has 
been disclosed pursuant to the general 
designation. Under this final rule, 
entities named on a consent form that 
disclose patient identifying information 
to their participants under the general 
designation will be required to provide 
a list of disclosures after receiving a 
patient request. Under the List of 
Disclosures requirements, a patient 
could make a request, for example, to an 
organization that facilitates the 
exchange of health information (e.g., an 
HIE) or an organization responsible for 
coordinating care (e.g., an ACO) for a 
list of disclosures that would include 
the name of the entity to whom each 
disclosure was made, the date of the 
disclosure, and a brief description of the 
patient identifying information 
disclosed, and include this information 
for all entities to whom the patient 
identifying information has been 
disclosed pursuant to the general 
designation in the past two years. 

For purposes of the analysis, we 
assumed that entities disclosing patient 
identifying information to their 
participants pursuant to a patient’s 
general designation on a consent form 
are already collecting the information 
necessary to comply with the List of 
Disclosures requirement, in some form, 
either electronically or using paper 
records. We also assumed that these 
entities could comply with the List of 
Disclosures requirement by either 
collecting this information 
electronically by using audit logs to 
obtain the required information or by 
keeping a paper record. However, to 
address possible concerns about 
technical feasibility and other 
implementation issues, SAMHSA 
finalizes its proposal that the List of 
Disclosures requirement may be 
implemented at any time, but non- 
treating providers cannot use the 
general designation without being able 
to provide a List of Disclosures to allow 
entities collecting this information time 
to review their operations and business 
processes and to decide whether 
technological solutions are needed to 


enable them to more efficiently comply 
with the requirement. 

In order to make preliminary 
estimates of the implementation costs, 
we first estimated the number of 
potentially impacted entities based on 
the anticipated number of patient 
requests for a disclosure report in a 
calendar year. We used the average 
number of substance use disorder 
treatment admissions from SAMHSA’s 
2010-2012 TEDS (n = 1,861,693) as the 
number of patients treated annually by 
part 2 programs. We then used the 
average of a 0.1 and 2 percent patient 
request rate as our estimate of the 
number of impacted entities (n = 
19,548). 

From there, we assumed 10 percent of 
the impacted entities would use paper 
records to comply with the disclosure 
reporting requirements (n = 1,995) and 
would have minimal implementation 
costs. Among the remaining entities, 
many may be able to comply with the 
disclosure reporting requirements 
without developing or implementing 
new technologies. For entities that do 
choose to either update their existing 
capabilities or develop and implement 
new technologies to facilitate 
compliance, we assumed two sets of 
costs: (1) Planning and policy 
development costs and (2) system 
update costs. SAMHSA notes that the 
Office of the National Coordinator for 
Health Information Technology and 
other organizations are encouraging 
adoption of electronic health records to 
allow providers to access patient 
records remotely, improve 
communication with patients and other 
providers and reduce errors (https:// 
www.healthit.gov/providers- 
professionals/benefits-electronic-health- 
records-ehrs)). For these reasons, we 
believe that the trend toward adoption 
of electronic health records will 
continue. 

Absent any data on the number of 
facilities that would require new 
technology or the type of technology to 
be implemented, we assumed that 
twenty-five percent (n = 4,398) of the 
remaining entities would choose to 
upgrade their existing health IT systems. 
The actual system upgrade costs will 
vary considerably based on the type of 
upgrades that are required. Some 
entities may only require minor system 
updates to streamline the reporting 
requirements, while others may choose 
to implement an entirely new system. 
Given these data limitations, we 
assumed an average, per-entity cost, of 
$2,500 for planning development costs 
and an average, per-entity cost, of 
$8,000 for system upgrades for a total 
cost of $10,500. We assume that ten 


percent of entities will implement each 
year, resulting in 100 percent of the 
4,398 entities having implemented the 
system planning and upgrades by year 
10. The implementation costs for List of 
Disclosures reporting compliance in 
year 1, and each year thereafter, are 
estimated to be approximately 
$4,618,000 ([4,398*0.10] * 
[8,000+2,500]). We acknowledge that 
without better data on the number of 
facilities that may require new 
technology and the number of facilities 
that would use the general designation 
and therefore be required to comply 
with the list of disclosures requirement, 
this approach may overestimate or 
underestimate the costs. 

As entities begin to comply with the 
disclosure reporting requirements, we 
assumed that the majority of the costs 
associated with the List of Disclosures 
requirement would primarily come from 
staff time needed to prepare a list of 
disclosures upon a patient’s request. We 
also assumed that the information 
would need to be converted to a format 
that is accessible to patients. 

For those entities with a health IT 
system, we expected that disclosure 
information would be available in the 
system’s audit log. We also assumed 
that, unless the audit log has some sort 
of electronic filtering system, it would 
contain information above and beyond 
the requirements for complying with a 
request for a list of disclosures. We had 
also assumed that the staff accessing 
and filtering an audit log to compile the 
information for lists of disclosures 
would be health information 
technicians. The average hourly rate for 
health information technicians is $19.44 
an hour./75/ In order to account for 
benefits and overhead costs associated 
with staff time, we multiplied the 
hourly wage rate by two. Absent any 
existing information on the amount of 
time associated with producing a list of 
disclosures from an audit log, we 
assumed it would take a health 
information technician half a day (or 4 
hours) on average, to produce the list 
from an audit log. 

For entities using paper records to 
track disclosures, we expected that a 
staff member would need to gather and 
aggregate the requested list of 
disclosures from paper records. We 
assumed medical record technicians 
would be the staff with the primary 
responsibility for compiling the 
information for a list of disclosures. The 
average hourly rate for medical record 
technicians is $19.44 an hour an 
hour./7® In order to account for benefits 
and overhead costs associated with staff 
time, we multiplied the hourly wage 
rate by two. Absent any existing 
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information on the amount of time 
associated with producing a list of 
disclosures from paper records, we 
assumed it would take a medical record 
technician 3 hours, on average, to 
produce the list from paper records. /47/ 

The number of requests for a list of 
disclosures will determine the overall 
burden associated with the List of 
Disclosures reporting requirements. 
However, because this is a new 
requirement, there were no data on 
which to base an estimated number of 
requests per year. We expected that the 
rate of requests will be relatively low. 
We therefore calculated the total costs 
for two rates, 0.1 percent and 2 percent 
of patients per year. 

We used the average number of 
substance use disorder treatment 
admissions from SAMHSA’s 2010-2012 
TEDS as the number of patients treated 
annually by part 2 programs. Assuming 
that 10 percent of patients making 
requests (n = 186.17 to n = 3,723.39) 
would request a list of disclosures from 
entities that track disclosures through 
paper records and 90 percent of patients 
making requests (n = 1,675.52 ton = 
33,510.47) would make such a request 
of entities that track disclosures through 
health IT audit logs, the estimated costs 
to develop lists of disclosures range 
from roughly $21,700 to $434,300 for 
entities using paper records, and 
$261,000 to $5,212,000 for entities using 
audit logs. (These ranges reflect the 
costs based on the two estimated patient 


rates of request referenced above (i.e., 
0.1 percent and 2 percent of patients per 
year)). 

Once a list of disclosures has been 
produced, it can be returned to the 
patient either by email or mail. Since 
the method of sending the list of 
disclosures depends on patient 
preference, we assumed that 50 percent 
of the lists of disclosures would be sent 
by email and 50 percent by first-class 
mail. We assumed that mailing and 
supply costs related to list of disclosures 
notifications were $0.10 supply cost per 
notification and $0.49 postage cost per 
mailing. We also estimated that it would 
take an administrative staff member 15 
minutes to prepare each list of 
disclosures for mailing and/or 
transmitting, and that staff preparing the 
letters earn $15.34 /78 per hour. In 
order to account for benefits and 
overhead costs associated with staff 
time, we multiplied the hourly wage 
rate by two. The estimated costs for list 
of disclosures notifications range from 
approximately $7, 700 to $154,000 for 
notifications sent by first-class mail, and 
$7, 140 to $143, 000 for notifications 
sent by email. 

To produce the final overall cost 
estimate, we took the average of the 
minimum and maximum estimated 
costs to develop lists of disclosures by 
entities collecting the information 
electronically by using an audit log, and 
the average of the minimum and 
maximum estimated costs to develop 


lists of disclosures by entities using 
paper records. We then added the 
averages together to produce our 
estimate of the total cost to entities to 
develop lists of disclosures. Next we 
took the average of the minimum and 
maximum estimated costs for list of 
disclosures notifications sent via email 
and the minimum and maximum 
estimated costs for such notifications 
sent via first-class mail. We then added 
these two averages together to produce 
our estimate of the total cost to entities 
for list of disclosures notifications. 
Finally, the development and 
notification costs for these lists of 
disclosures were added together for the 
final estimate of costs associated with 
complying with List of Disclosures 
reporting requirements. The total cost 
for List of Disclosures reporting 
compliance across all entities was 
roughly $3,120,000 in 2016 dollars. 
Complying with List of Disclosures 
requirements is assumed to be an 
ongoing, annual activity for entities that 
have completed the system upgrade and 
comply with the disclosure 
requirements. Since we assume 10 
percent of entities begin to comply with 
the requirements each year, year 1 
reporting compliance costs is roughly 
$312,000 (3,120,000*0.10) and $624,000 
(3,120, 000*0.20) in year 2, and 
continues to increase each year until 
year 10 all entities are complying and 
have annual compliance costs of 
$3,120,000 


TABLE 5—TOTAL ESTIMATED DISCLOSURE REPORTING COSTS IN 2018 


[Note: Numbers may not add due to rounding] 


























Minimum Maximum Average 
estimated cost estimated cost estimated cost 
Facilities with a Health IT System .........cccecccccceeeeceeeeeeeceeeeeeeeeeeeeceeeeeaeseaeeseeeseeeeeaees $261,000 $5,212,000 $2,736,000 
Facilities without a Health IT System 0... ce eeeeceeeeeeeseeeeeeneeeeeeeeeeesaeeaeeeaeeaeeeaeeaeeaes 21,700 434,300 228,000 
‘Fotal: COStS a iseiis. acess acisvresvopconaeciitereaveaeeannias ae daviepeceaegaeuagiwiaravearenanuietieee) || ahiehvadtneiee,| snare wane, 2,964,000 
Average INUmber Ot RaACilitieS: fy5. fvsccaciie ce etekd cadens cacdincenautensdesacz<diecacdetvesTebieresdoeuedsueaiSens | odrheusdebacsuisnexcipeverdevic. | avar¥ebcentek cerlavaradabdees 19,548 
TABLE 6—TOTAL ESTIMATED DISCLOSURE NOTIFICATION COSTS IN 2018 
[Note: Numbers may not add due to rounding] 
Minimum Maximum Average 


estimated cost 


estimated cost estimated cost 





Email Notification 
First Class Mail Notification 


Total Costs 














$7,100 $143,000 $75,000 
7,700 154,000 81,000 
deine sai seaecawtete || Moawtew mare aire 156,000 





iv. IT Updates 


SAMHSA, in collaboration with ONC 
and federal and community 
stakeholders, has developed 
Consent2Share which is an open source 


tool for consent management and data 
segmentation that is designed to 
integrate with existing EHR and HIE 
systems. SAMHSA plans to release 
shortly an updated version of 
Consent2Share with improved 


functionality and ability to meet list of 
disclosures requirements. 

The Consent2Share architecture has a 
front-end, patient facing system known 
as Patient Consent Management and a 
backend control system known as 
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Access Control Services. 
Communications with EHR vendors 
indicated that the cost to facilities of 
purchasing and installing additional 
functionality to existing electronic 
medical records applications, such as 
Consent2Share, typically range from 
$2,500 to $5,000. Because the add-on 
systems for part 2 programs may be 
more complex than standard patient 
monitoring systems, we estimated that 
the cost of adding the new functionality 
would be approximately $8,000 per 
facility. We also assumed that this 
would be a one-time expense, rather 
than a recurring cost, for each provider. 
SAMHSA acknowledges that there may 
be fluctuation in costs among affected 
entities from the average cost. However, 
though costs could possibly be higher 
for some entities, information shared by 
commenters was largely anecdotal and 
it is unclear how such data could be 
broadly extrapolated to a wide range of 
entities. 

Furthermore, national estimates 
indicated that no more than 50 percent 
of substance use disorder treatment 
facilities have an operational 
“computerized administrative 
information system.” /79 We, therefore, 
estimated that only half of the 12,034 
part 2 programs (i.e., 6,017 facilities) 
would have operational health IT 
systems that would require 
modifications to account for the changes 
to 42 CFR part 2. With 6,017 part 2 
programs with operational information 
systems, we estimated that each facility 
would need to spend $8,000 to modify 
their health IT system, which would 
lead to a total burden for updating 
health IT systems of $48.1 million. 
Updating health IT systems would be a 
one-time cost, and maintenance costs 
should be part of general health IT 
maintenance costs in later years. The 
final rule does not require that part 2 
programs adopt health IT systems so 
there are no health IT costs associated 
with substance use disorder treatment 
facilities that continue to use paper 
records. 


C. Regulatory Flexibility Act (RFA) 


The RFA requires agencies to analyze 
options for regulatory relief of small 
entities. For purposes of the RFA, small 
entities include small businesses, 
nonprofit organizations, and small 
governmental jurisdictions. Most 
hospitals and most other providers are 
small entities, either by nonprofit status 
or by having revenues of less than $7.5 
million to $38.5 million in any one year. 
Individuals and states are not included 
in the definition of a small entity. We 
are not preparing an analysis for the 
RFA because we have determined, and 


the Secretary certifies, that this final 
rule will not have a significant 
economic impact on a substantial 
number of small entities. While the 
changes in the regulations will apply to 
all part 2 programs, the impact on these 
entities would be quite small. 
Specifically, as described in the Overall 
Impact section, the cost to part 2 
programs associated with updates to 42 
CFR part 2 in the first year that the final 
rule is in effect will be $76.1 million, a 
figure that due to a number of one-time 
updates, is the highest for any of the 10 
years estimated. The per-entity 
economic impact in the first year will be 
approximately $6,300 ($76,100,000 + 
12,034), a figure that is unlikely to 
represent 3 percent of revenues for 5 
percent of impacted small entities. 
Consequently, it has been determined 
that the final rule will not have a 
significant economic impact on small 
entities. 

In addition, Section 1102(b) of the Act 
requires us to prepare a regulatory 
impact analysis if a rule may have a 
significant impact on the operations of 
a substantial number of small rural 
hospitals. This analysis must conform to 
the provisions of Section 603 of the 
RFA. For purposes of Section 1102(b) of 
the Act, we defined a small rural 
hospital as a hospital that is located 
outside of a Metropolitan Statistical 
Area for Medicare payment regulations 
and has fewer than 100 beds. We are not 
preparing an analysis for Section 
1102(b) of the Act because we have 
determined, and the Secretary certifies, 
that this final rule will not have a 
significant impact on the operations of 
a substantial number of small rural 
hospitals. 


D. Unfunded Mandates Reform Act 


Section 202 of the Unfunded 
Mandates Reform Act of 1995 also 
requires that agencies assess anticipated 
costs and benefits before issuing any 
rule whose mandates require spending 
in any one year of $100 million in 1995 
dollars, updated annually for inflation. 
In 2016, that threshold is approximately 
$146 million. This rule will have no 
consequential effect on state, local, or 
tribal governments or on the private 
sector. 


E. Federalism (Executive Order 13132) 


Executive Order 13132 establishes 
certain requirements that an agency 
must meet when it promulgates a 
proposed rule (and subsequent final 
rule) that imposes substantial direct 
requirement costs on state and local 
governments, preempts state law, or 
otherwise has Federalism implications. 
Since this rule does not impose any 


costs on state or local governments, the 
requirements of Executive Order 13132 
are not applicable. 

SAMHSA is modernizing 42 CFR part 
2. With respect to our revisions to the 
part 2 regulations, we do not believe 
that this final rule will have a 
significant impact as it gives more 
flexibility to individuals and entities 
covered by 42 CFR part 2 but also adds 
privacy protections within the consent 
requirements for the patient. We are 
revising the part 2 regulations in 
response to concerns that 42 CFR part 
2 was outdated and burdensome. 

Executive Order 13132 on Federalism 
(August 4, 1999) establishes certain 
requirements that an agency must meet 
when it promulgates a proposed rule 
(and subsequent final rule) that imposes 
substantial direct requirement costs on 
state and local governments, preempts 
state law, or otherwise has Federalism 
implications. We have reviewed this 
final rule under the threshold criteria of 
Executive Order 13132, Federalism, and 
have determined that it will not have 
substantial direct effects on the rights, 
roles, and responsibilities of states, local 
or tribal governments. 


Conclusion 


SAMHSA is enacting changes to 
modernize 42 CFR part 2. With respect 
to our revisions to the regulations, we 
do not believe that this final rule will 
have a significant impact as it gives 
more flexibility to individuals and 
entities covered by 42 CFR part 2 but 
also increases privacy protections 
within the consent requirements and 
adds an additional confidentiality 
safeguard for patients. This final rule 
does not reach the threshold for 
requiring a regulatory impact analysis 
by Executive Orders 12866 and 13563 
and thus is not considered an 
economically significant rule. This rule 
will not have a significant economic 
impact on a substantial number of small 
entities. This rule will not have a 
significant impact on the operations of 
a substantial number of small rural 
hospitals. Since this rule does not 
impose any costs on state or local 
governments, the requirements of 
Executive Order 13132 on federalism 
are not applicable. 
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List of Subjects in 42 CFR Part 2 


Alcohol abuse, Alcoholism, Drug 
abuse, Grant programs-health, Health 
records, Privacy, Reporting, and 
Recordkeeping requirements. 


m For the reasons stated in the preamble 
of this final rule, SAMHSA revises 42 
CFR part 2 to read as follows: 


PART 2—CONFIDENTIALITY OF 
SUBSTANCE USE DISORDER PATIENT 
RECORDS 


Subpart A—Introduction 


Sec. 

2.1 Statutory authority for confidentiality of 
substance use disorder patient records. 

2.2 Purpose and effect. 

2.3 Criminal penalty for violation. 

2.4 Reports of violations. 


Subpart B—General Provisions 


Sec. 

2.11 Definitions. 

2.12 Applicability. 

2.13 Confidentiality restrictions and 

safeguards. 

Minor patients. 

Incompetent and deceased patients. 

Security for records. 

Undercover agents and informants. 

Restrictions on the use of 
identification cards. 

2.19 Disposition of records by discontinued 
programs. 

2.20 Relationship to state laws. 

2.21 Relationship to federal statutes 
protecting research subjects against 
compulsory disclosure of their identity. 

2.22 Notice to patients of federal 
confidentiality requirements. 

2.23 Patient access and restrictions on use. 


2.14 
2.15 
2.16 
2.17 
2.18 


Subpart C—Disclosures with Patient 
Consent 


Sec. 

2.31 Consent requirements. 

2.32 Prohibition on re-disclosure. 

2.33 Disclosures permitted with written 
consent. 

2.34 Disclosures to prevent multiple 
enrollments. 

2.35 Disclosures to elements of the criminal 
justice system which have referred 
patients. 


Subpart D—Disclosures without Patient 
Consent 

Sec. 

2.51 Medical emergencies. 

2.52 Research. 

2.53 Audit and evaluation. 


Subpart E—Court Orders Authorizing 

Disclosure and Use 

Sec. 

2.61 Legal effect of order. 

2.62 Order not applicable to records 
disclosed without consent to researchers, 
auditors and evaluators. 

2.63 Confidential communications. 

2.64 Procedures and criteria for orders 
authorizing disclosures for noncriminal 
purposes. 

2.65 Procedures and criteria for orders 
authorizing disclosure and use of records 
to criminally investigate or prosecute 
patients. 

2.66 Procedures and criteria for orders 
authorizing disclosure and use of records 
to investigate or prosecute a part 2 
program or the person holding the 
records. 

2.67 Orders authorizing the use of 
undercover agents and informants to 
criminally investigate employees or 
agents of a part 2 program. 


Authority: 42 U.S.C. 290dd-2. 


Subpart A—Introduction 


§2.1. Statutory authority for confidentiality 
of substance use disorder patient records. 


Title 42, United States Code, Section 
290dd-—2(g) authorizes the Secretary to 
prescribe regulations. Such regulations 
may contain such definitions, and may 
provide for such safeguards and 
procedures, including procedures and 
criteria for the issuance and scope of 
orders, as in the judgment of the 
Secretary are necessary or proper to 
effectuate the purposes of this statute, to 
prevent circumvention or evasion 
thereof, or to facilitate compliance 
therewith. 


§2.2 Purpose and effect. 


(a) Purpose. Pursuant to 42 U.S.C. 
290dd—2(g), the regulations in this part 
impose restrictions upon the disclosure 
and use of substance use disorder 
patient records which are maintained in 
connection with the performance of any 
part 2 program. The regulations in this 
part include the following subparts: 

(1) Subpart B of this part: General 
Provisions, including definitions, 
applicability, and general restrictions; 

(2) Subpart C of this part: Disclosures 
with Patient Consent, including 
disclosures which require patient 
consent and the consent form 
requirements; 

(3) Subpart D of this part: Disclosures 
without Patient Consent, including 
disclosures which do not require patient 
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consent or an authorizing court order; 
and 

(4) Subpart E of this part: Court 
Orders Authorizing Disclosure and Use, 
including disclosures and uses of 
patient records which may be made 
with an authorizing court order and the 
procedures and criteria for the entry and 
scope of those orders. 

(b) Effect. (1) The regulations in this 
part prohibit the disclosure and use of 
patient records unless certain 
circumstances exist. If any circumstance 
exists under which disclosure is 
permitted, that circumstance acts to 
remove the prohibition on disclosure 
but it does not compel disclosure. Thus, 
the regulations do not require disclosure 
under any circumstances. 

(2) The regulations in this part are not 
intended to direct the manner in which 
substantive functions such as research, 
treatment, and evaluation are carried 
out. They are intended to ensure that a 
patient receiving treatment for a 
substance use disorder in a part 2 
program is not made more vulnerable by 
reason of the availability of their patient 
record than an individual with a 
substance use disorder who does not 
seek treatment. 

(3) Because there is a criminal penalty 
for violating the regulations, they are to 
be construed strictly in favor of the 
potential violator in the same manner as 
a criminal statute (see M. Kraus & 
Brothers v. United States, 327 U.S. 614, 
621-22, 66 S. Ct. 705, 707-08 (1946)). 


§2.3 Criminal penalty for violation. 


Under 42 U.S.C. 290dd—2(f), any 
person who violates any provision of 
this section or any regulation issued 
pursuant to this section shall be fined in 
accordance with Title 18 of the U.S. 
Code. 


§2.4 Reports of violations. 


(a) The report of any violation of the 
regulations in this part may be directed 
to the United States Attorney for the 
judicial district in which the violation 
occurs. 

(b) The report of any violation of the 
regulations in this part by an opioid 
treatment program may be directed to 
the United States Attorney for the 
judicial district in which the violation 
occurs as well as to the Substance 
Abuse and Mental Health Services 
Administration (SAMHSA) office 
responsible for opioid treatment 
program oversight. 


Subpart B—General Provisions 


§2.11 Definitions. 


For purposes of the regulations in this 
part: 


Central registry means an organization 
which obtains from two or more 
member programs patient identifying 
information about individuals applying 
for withdrawal management or 
maintenance treatment for the purpose 
of avoiding an individual’s concurrent 
enrollment in more than one treatment 
program. 

Diagnosis means any reference to an 
individual’s substance use disorder or to 
a condition which is identified as 
having been caused by that substance 
use disorder which is made for the 
purpose of treatment or referral for 
treatment. 

Disclose means to communicate any 
information identifying a patient as 
being or having been diagnosed with a 
substance use disorder, having or 
having had a substance use disorder, or 
being or having been referred for 
treatment of a substance use disorder 
either directly, by reference to publicly 
available information, or through 
verification of such identification by 
another person. 

Federally assisted—see § 2.12(b). 

Informant means an individual: 

(1) Who is a patient or employee of a 
part 2 program or who becomes a 
patient or employee of a part 2 program 
at the request of a law enforcement 
agency or official; and 

(2) Who at the request of a law 
enforcement agency or official observes 
one or more patients or employees of 
the part 2 program for the purpose of 
reporting the information obtained to 
the law enforcement agency or official. 

Maintenance treatment means long- 
term pharmacotherapy for individuals 
with substance use disorders that 
reduces the pathological pursuit of 
reward and/or relief and supports 
remission of substance use disorder- 
related symptoms. 

Member program means a withdrawal 
management or maintenance treatment 
program which reports patient 
identifying information to a central 
registry and which is in the same state 
as that central registry or is in a state 
that participates in data sharing with the 
central registry of the program in 
question. 

Minor, as used in the regulations in 
this part, means an individual who has 
not attained the age of majority 
specified in the applicable state law, or 
if no age of majority is specified in the 
applicable state law, the age of 18 years. 

Part 2 program means a federally 
assisted program (federally assisted as 
defined in § 2.12(b) and program as 
defined in this section). See § 2.12(e)(1) 
for examples. 

Part 2 program director means: 


(1) In the case of a part 2 program that 
is an individual, that individual. 

(2) In the case of a part 2 program that 
is an entity, the individual designated as 
director or managing director, or 
individual otherwise vested with 
authority to act as chief executive officer 
of the part 2 program. 

Patient means any individual who has 
applied for or been given diagnosis, 
treatment, or referral for treatment for a 
substance use disorder at a part 2 
program. Patient includes any 
individual who, after arrest on a 
criminal charge, is identified as an 
individual with a substance use 
disorder in order to determine that 
individual’s eligibility to participate in 
a part 2 program. This definition 
includes both current and former 
patients. 

Patient identifying information means 
the name, address, social security 
number, fingerprints, photograph, or 
similar information by which the 
identity of a patient, as defined in this 
section, can be determined with 
reasonable accuracy either directly or by 
reference to other information. The term 
does not include a number assigned to 
a patient by a part 2 program, for 
internal use only by the part 2 program, 
if that number does not consist of or 
contain numbers (such as a social 
security, or driver’s license number) that 
could be used to identify a patient with 
reasonable accuracy from sources 
external to the part 2 program. 

Person means an individual, 
partnership, corporation, federal, state 
or local government agency, or any 
other legal entity, (also referred to as 
“individual or entity’’). 

Program means: 

(1) An individual or entity (other than 
a general medical facility) who holds 
itself out as providing, and provides, 
substance use disorder diagnosis, 
treatment, or referral for treatment; or 

(2) An identified unit within a general 
medical facility that holds itself out as 
providing, and provides, substance use 
disorder diagnosis, treatment, or referral 
for treatment; or 

(3) Medical personnel or other staff in 
a general medical facility whose 
primary function is the provision of 
substance use disorder diagnosis, 
treatment, or referral for treatment and 
who are identified as such providers. 

Qualified service organization means 
an individual or entity who: 

(1) Provides services to a part 2 
program, such as data processing, bill 
collecting, dosage preparation, 
laboratory analyses, or legal, accounting, 
population health management, medical 
staffing, or other professional services, 
or services to prevent or treat child 
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abuse or neglect, including training on 
nutrition and child care and individual 
and group therapy, and 

(2) Has entered into a written 
agreement with a part 2 program under 
which that individual or entity: 

(i) Acknowledges that in receiving, 
storing, processing, or otherwise dealing 
with any patient records from the part 
2 program, it is fully bound by the 
regulations in this part; and 

(ii) If necessary, will resist in judicial 
proceedings any efforts to obtain access 
to patient identifying information 
related to substance use disorder 
diagnosis, treatment, or referral for 
treatment except as permitted by the 
regulations in this part. 

Records means any information, 
whether recorded or not, created by, 
received, or acquired by a part 2 
program relating to a patient (e.g., 
diagnosis, treatment and referral for 
treatment information, billing 
information, emails, voice mails, and 
texts). For the purpose of the regulations 
in this part, records include both paper 
and electronic records. 

Substance use disorder means a 
cluster of cognitive, behavioral, and 
physiological symptoms indicating that 
the individual continues using the 
substance despite significant substance- 
related problems such as impaired 
control, social impairment, risky use, 
and pharmacological tolerance and 
withdrawal. For the purposes of the 
regulations in this part, this definition 
does not include tobacco or caffeine use. 

Third-party payer means an 
individual or entity who pays and/or 
agrees to pay for diagnosis or treatment 
furnished to a patient on the basis of a 
contractual relationship with the patient 
or a member of the patient’s family or 
on the basis of the patient’s eligibility 
for federal, state, or local governmental 
benefits. 

Treating provider relationship means 
that, regardless of whether there has 
been an actual in-person encounter: 

(1) A patient is, agrees to, or is legally 
required to be diagnosed, evaluated, 
and/or treated, or agrees to accept 
consultation, for any condition by an 
individual or entity, and; 

(2) The individual or entity 
undertakes or agrees to undertake 
diagnosis, evaluation, and/or treatment 
of the patient, or consultation with the 
patient, for any condition. 

Treatment means the care of a patient 
suffering from a substance use disorder, 
a condition which is identified as 
having been caused by the substance 
use disorder, or both, in order to reduce 
or eliminate the adverse effects upon the 
patient. 


Undercover agent means any federal, 
state, or local law enforcement agency 
or official who enrolls in or becomes an 
employee of a part 2 program for the 
purpose of investigating a suspected 
violation of law or who pursues that 
purpose after enrolling or becoming 
employed for other purposes. 

Withdrawal management means the 
use of pharmacotherapies to treat or 
attenuate the problematic signs and 
symptoms arising when heavy and/or 
prolonged substance use is reduced or 
discontinued. 


§2.12 Applicability. 

(a) General—(1) Restrictions on 
disclosure. The restrictions on 
disclosure in the regulations in this part 
apply to any information, whether or 
not recorded, which: 

(i) Would identify a patient as having 
or having had a substance use disorder 
either directly, by reference to publicly 
available information, or through 
verification of such identification by 
another person; and 

(ii) Is drug abuse information obtained 
by a federally assisted drug abuse 
program after March 20, 1972 (part 2 
program), or is alcohol abuse 
information obtained by a federally 
assisted alcohol abuse program after 
May 13, 1974 (part 2 program); or if 
obtained before the pertinent date, is 
maintained by a part 2 program after 
that date as part of an ongoing treatment 
episode which extends past that date; 
for the purpose of treating a substance 
use disorder, making a diagnosis for that 
treatment, or making a referral for that 
treatment. 

(2) Restriction on use. The restriction 
on use of information to initiate or 
substantiate any criminal charges 
against a patient or to conduct any 
criminal investigation of a patient (42 
U.S.C. 290dd—2(c)) applies to any 
information, whether or not recorded, 
which is drug abuse information 
obtained by a federally assisted drug 
abuse program after March 20, 1972 
(part 2 program), or is alcohol abuse 
information obtained by a federally 
assisted alcohol abuse program after 
May 13, 1974 (part 2 program); or if 
obtained before the pertinent date, is 
maintained by a part 2 program after 
that date as part of an ongoing treatment 
episode which extends past that date; 
for the purpose of treating a substance 
use disorder, making a diagnosis for the 
treatment, or making a referral for the 
treatment. 

(b) Federal assistance. A program is 
considered to be federally assisted if: 

(1) It is conducted in whole or in part, 
whether directly or by contract or 
otherwise by any department or agency 


of the United States (but see paragraphs 
(c)(1) and (2) of this section relating to 
the Department of Veterans Affairs and 
the Armed Forces); 

(2) It is being carried out under a 
license, certification, registration, or 
other authorization granted by any 
department or agency of the United 
States including but not limited to: 

(i) Participating provider in the 
Medicare program; 

(ii) Authorization to conduct 
maintenance treatment or withdrawal 
management; or 

(iii) Registration to dispense a 
substance under the Controlled 
Substances Act to the extent the 
controlled substance is used in the 
treatment of substance use disorders; 

(3) It is supported by funds provided 
by any department or agency of the 
United States by being: 

(i) A recipient of federal financial 
assistance in any form, including 
financial assistance which does not 
directly pay for the substance use 
disorder diagnosis, treatment, or referral 
for treatment; or 

(ii) Conducted by a state or local 
government unit which, through general 
or special revenue sharing or other 
forms of assistance, receives federal 
funds which could be (but are not 
necessarily) spent for the substance use 
disorder program; or 

(4) It is assisted by the Internal 
Revenue Service of the Department of 
the Treasury through the allowance of 
income tax deductions for contributions 
to the program or through the granting 
of tax exempt status to the program. 

(c) Exceptions— (1) Department of 
Veterans Affairs. These regulations do 
not apply to information on substance 
use disorder patients maintained in 
connection with the Department of 
Veterans Affairs’ provision of hospital 
care, nursing home care, domiciliary 
care, and medical services under Title 
38, U.S.C. Those records are governed 
by 38 U.S.C. 7332 and regulations 
issued under that authority by the 
Secretary of Veterans Affairs. 

(2) Armed Forces. The regulations in 
this part apply to any information 
described in paragraph (a) of this 
section which was obtained by any 
component of the Armed Forces during 
a period when the patient was subject 
to the Uniform Code of Military Justice 
except: 

(i) Any interchange of that 
information within the Armed Forces; 
and 

(ii) Any interchange of that 
information between the Armed Forces 
and those components of the 
Department of Veterans Affairs 
furnishing health care to veterans. 
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(3) Communication within a part 2 
program or between a part 2 program 
and an entity having direct 
adininistrative control over that part 2 
program. The restrictions on disclosure 
in the regulations in this part do not 
apply to communications of information 
between or among personnel having a 
need for the information in connection 
with their duties that arise out of the 
provision of diagnosis, treatment, or 
referral for treatment of patients with 
substance use disorders if the 
communications are: 

(i) Within a part 2 program; or 

(ii) Between a part 2 program and an 
entity that has direct administrative 
control over the program. 

(4) Qualified service organizations. 
The restrictions on disclosure in the 
regulations in this part do not apply to 
communications between a part 2 
program and a qualified service 
organization of information needed by 
the qualified service organization to 
provide services to the program. 

(5) Crimes on part 2 program premises 
or against part 2 program personnel. 
The restrictions on disclosure and use 
in the regulations in this part do not 
apply to communications from part 2 
program personnel to law enforcement 
agencies or officials which: 

(i) Are directly related to a patient’s 
commission of a crime on the premises 
of the part 2 program or against part 2 
program personnel or to a threat to 
commit such a crime; and 

(ii) Are limited to the circumstances 
of the incident, including the patient 
status of the individual committing or 
threatening to commit the crime, that 
individual’s name and address, and that 
individual’s last known whereabouts. 

(6) Reports of suspected child abuse 
and neglect. The restrictions on 
disclosure and use in the regulations in 
this part do not apply to the reporting 
under state law of incidents of 
suspected child abuse and neglect to the 
appropriate state or local authorities. 
However, the restrictions continue to 
apply to the original substance use 
disorder patient records maintained by 
the part 2 program including their 
disclosure and use for civil or criminal 
proceedings which may arise out of the 
report of suspected child abuse and 
neglect. 

(d) Applicability to recipients of 
information— (1) Restriction on use of 
information. The restriction on the use 
of any information subject to the 
regulations in this part to initiate or 
substantiate any criminal charges 
against a patient or to conduct any 
criminal investigation of a patient 
applies to any person who obtains that 
information from a part 2 program, 


regardless of the status of the person 
obtaining the information or whether 
the information was obtained in 
accordance with the regulations in this 
part. This restriction on use bars, among 
other things, the introduction of that 
information as evidence in a criminal 
proceeding and any other use of the 
information to investigate or prosecute a 
patient with respect to a suspected 
crime. Information obtained by 
undercover agents or informants (see 

§ 2.17) or through patient access (see 

§ 2.23) is subject to the restriction on 
use. 

(2) Restrictions on disclosures—(i) 
Third-party payers, administrative 
entities, and others. The restrictions on 
disclosure in the regulations in this part 
apply to: 

(A) Third-party payers with regard to 
records disclosed to them by part 2 
programs or under § 2.31(a)(4)(iii)(A); 

(B) Entities having direct 
administrative control over part 2 
programs with regard to information 
that is subject to the regulations in this 
part communicated to them by the part 
2 program under paragraph (c)(3) of this 
section; and 

(C) Individuals or entities who receive 
patient records directly from a part 2 
program or other lawful holder of 
patient identifying information and who 
are notified of the prohibition on re- 
disclosure in accordance with § 2.32. 

(ii) [Reserved] 

(e) Explanation of applicability—(1) 
Coverage. These regulations cover any 
information (including information on 
referral and intake) about patients 
receiving diagnosis, treatment, or 
referral for treatment for a substance use 
disorder created by a part 2 program. 
Coverage includes, but is not limited to, 
those treatment or rehabilitation 
programs, employee assistance 
programs, programs within general 
hospitals, school-based programs, and 
private practitioners who hold 
themselves out as providing, and 
provide substance use disorder 
diagnosis, treatment, or referral for 
treatment. However, the regulations in 
this part would not apply, for example, 
to emergency room personnel who refer 
a patient to the intensive care unit for 
an apparent overdose, unless the 
primary function of such personnel is 
the provision of substance use disorder 
diagnosis, treatment, or referral for 
treatment and they are identified as 
providing such services or the 
emergency room has promoted itself to 
the community as a provider of such 
services. 

(2) Federal assistance to program 
required. If a patient’s substance use 
disorder diagnosis, treatment, or referral 


for treatment is not provided by a part 
2 program, that patient’s record is not 
covered by the regulations in this part. 
Thus, it is possible for an individual 
patient to benefit from federal support 
and not be covered by the 
confidentiality regulations because the 
program in which the patient is enrolled 
is not federally assisted as defined in 
paragraph (b) of this section. For 
example, if a federal court placed an 
individual in a private for-profit 
program and made a payment to the 
program on behalf of that individual, 
that patient’s record would not be 
covered by the regulations in this part 
unless the program itself received 
federal assistance as defined by 
paragraph (b) of this section. 

(3) Information to which restrictions 
are applicable. Whether a restriction 
applies to use or disclosure affects the 
type of information which may be 
disclosed. The restrictions on disclosure 
apply to any information which would 
identify a patient as having or having 
had a substance use disorder. The 
restriction on use of information to 
bring criminal charges against a patient 
for a crime applies to any information 
obtained by the part 2 program for the 
purpose of diagnosis, treatment, or 
referral for treatment of patients with 
substance use disorders. (Note that 
restrictions on use and disclosure apply 
to recipients of information under 
paragraph (d) of this section.) 

(4) How type of diagnosis affects 
coverage. These regulations cover any 
record of a diagnosis identifying a 
patient as having or having had a 
substance use disorder which is initially 
prepared by a part 2 provider in 
connection with the treatment or 
referral for treatment of a patient with 
a substance use disorder. A diagnosis 
prepared for the purpose of treatment or 
referral for treatment but which is not so 
used is covered by the regulations in 
this part. The following are not covered 
by the regulations in this part: 

(i) Diagnosis which is made solely for 
the purpose of providing evidence for 
use by law enforcement agencies or 
officials; or 

(ii) A diagnosis of drug overdose or 
alcohol intoxication which clearly 
shows that the individual involved does 
not have a substance use disorder (e.g., 
involuntary ingestion of alcohol or 
drugs or reaction to a prescribed dosage 
of one or more drugs). 


§2.13 Confidentiality restrictions and 
safeguards. 

(a) General. The patient records 
subject to the regulations in this part 
may be disclosed or used only as 
permitted by the regulations in this part 
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and may not otherwise be disclosed or 
used in any civil, criminal, 
administrative, or legislative 
proceedings conducted by any federal, 
state, or local authority. Any disclosure 
made under the regulations in this part 
must be limited to that information 
which is necessary to carry out the 
purpose of the disclosure. 

(b) Unconditional compliance 
required. The restrictions on disclosure 
and use in the regulations in this part 
apply whether or not the part 2 program 
or other lawful holder of the patient 
identifying information believes that the 
person seeking the information already 
has it, has other means of obtaining it, 
is a law enforcement agency or official 
or other government official, has 
obtained a subpoena, or asserts any 
other justification for a disclosure or use 
which is not permitted by the 
regulations in this part. 

(c) Acknowledging the presence of 
patients: Responding to requests. (1) 
The presence of an identified patient in 
a health care facility or component of a 
health care facility which is publicly 
identified as a place where only 
substance use disorder diagnosis, 
treatment, or referral for treatment is 
provided may be acknowledged only if 
the patient’s written consent is obtained 
in accordance with subpart C of this 
part or if an authorizing court order is 
entered in accordance with subpart E of 
this part. The regulations permit 
acknowledgement of the presence of an 
identified patient in a health care 
facility or part of a health care facility 
if the health care facility is not publicly 
identified as only a substance use 
disorder diagnosis, treatment, or referral 
for treatment facility, and if the 
acknowledgement does not reveal that 
the patient has a substance use disorder. 

(2) Any answer to a request for a 
disclosure of patient records which is 
not permissible under the regulations in 
this part must be made in a way that 
will not affirmatively reveal that an 
identified individual has been, or is 
being, diagnosed or treated for a 
substance use disorder. An inquiring 
party may be provided a copy of the 
regulations in this part and advised that 
they restrict the disclosure of substance 
use disorder patient records, but may 
not be told affirmatively that the 
regulations restrict the disclosure of the 
records of an identified patient. 

(d) List of disclosures. Upon request, 
patients who have consented to disclose 
their patient identifying information 
using a general designation pursuant to 
§ 2.31(a)(4)(iii)(B)(3) must be provided a 
list of entities to which their 
information has been disclosed 
pursuant to the general designation. 


(1) Under this paragraph (d), patient 
requests: 

(i) Must be made in writing; and 

(ii) Are limited to disclosures made 
within the past two years; 

(2) Under this paragraph (d), the 
entity named on the consent form that 
discloses information pursuant to a 
patient’s general designation (the entity 
that serves as an intermediary, as 
described in § 2.31(a)(4)(iii)(B)) must: 

(i) Respond in 30 or fewer days of 
receipt of the written request; and 

(ii) Provide, for each disclosure, the 
name(s) of the entity(-ies) to which the 
disclosure was made, the date of the 
disclosure, and a brief description of the 
patient identifying information 
disclosed. 

(3) The part 2 program is not 
responsible for compliance with this 
paragraph (d); the entity that serves as 
an intermediary, as described in 
§ 2.31(a)(4)(iii)(B), is responsible for 
compliance with the list of disclosures 
requirement. 


§2.14 Minor patients. 


(a) State law not requiring parental 
consent to treatment. If a minor patient 
acting alone has the legal capacity under 
the applicable state law to apply for and 
obtain substance use disorder treatment, 
any written consent for disclosure 
authorized under subpart C of this part 
may be given only by the minor patient. 
This restriction includes, but is not 
limited to, any disclosure of patient 
identifying information to the parent or 
guardian of a minor patient for the 
purpose of obtaining financial 
reimbursement. These regulations do 
not prohibit a part 2 program from 
refusing to provide treatment until the 
minor patient consents to the disclosure 
necessary to obtain reimbursement, but 
refusal to provide treatment may be 
prohibited under a state or local law 
requiring the program to furnish the 
service irrespective of ability to pay. 

(b) State law requiring parental 
consent to treatment. (1) Where state 
law requires consent of a parent, 
guardian, or other individual for a 
minor to obtain treatment for a 
substance use disorder, any written 
consent for disclosure authorized under 
subpart C of this part must be given by 
both the minor and their parent, 
guardian, or other individual authorized 
under state law to act in the minor’s 
behalf. 

(2) Where state law requires parental 
consent to treatment, the fact of a 
minor’s application for treatment may 
be communicated to the minor’s parent, 
guardian, or other individual authorized 
under state law to act in the minor’s 
behalf only if: 


(i) The minor has given written 
consent to the disclosure in accordance 
with subpart C of this part; or 

(ii) The minor lacks the capacity to 
make a rational choice regarding such 
consent as judged by the part 2 program 
director under paragraph (c) of this 
section. 

(c) Minor applicant for services lacks 
capacity for rational choice. Facts 
relevant to reducing a substantial threat 
to the life or physical well-being of the 
minor applicant or any other individual 
may be disclosed to the parent, 
guardian, or other individual authorized 
under state law to act in the minor’s 
behalf if the part 2 program director 
judges that: 

(1) A minor applicant for services 
lacks capacity because of extreme 
youthor mental or physical condition to 
make a rational decision on whether to 
consent to a disclosure under subpart C 
of this part to their parent, guardian, or 
other individual authorized under state 
law to act in the minor’s behalf; and 

(2) The minor applicant’s situation 
poses a substantial threat to the life or 
physical well-being of the minor 
applicant or any other individual which 
may be reduced by communicating 
relevant facts to the minor’s parent, 
guardian, or other individual authorized 
under state law to act in the minor’s 
behalf. 


§2.15 Incompetent and deceased patients. 


(a) Incompetent patients other than 
minors—(1) Adjudication of 
incompetence. In the case of a patient 
who has been adjudicated as lacking the 
capacity, for any reason other than 
insufficient age, to their own affairs, any 
consent which is required under the 
regulations in this part may be given by 
the guardian or other individual 
authorized under state law to act in the 
patient’s behalf. 

(2) No adjudication of incompetency. 
In the case of a patient, other than a 
minor or one who has been adjudicated 
incompetent, that for any period suffers 
from a medical condition that prevents 
knowing or effective action on their own 
behalf, the part 2 program director may 
exercise the right of the patient to 
consent to a disclosure under subpart C 
of this part for the sole purpose of 
obtaining payment for services from a 
third-party payer. 

(b) Deceased patients—(1) Vital 
statistics. These regulations do not 
restrict the disclosure of patient 
identifying information relating to the 
cause of death of a patient under laws 
requiring the collection of death or other 
vital statistics or permitting inquiry into 
the cause of death. 
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(2) Consent by personal 
representative. Any other disclosure of 
information identifying a deceased 
patient as having a substance use 
disorder is subject to the regulations in 
this part. If a written consent to the 
disclosure is required, that consent may 
be given by an executor, administrator, 
or other personal representative 
appointed under applicable state law. If 
there is no such applicable state law 
appointment, the consent may be given 
by the patient’s spouse or, if none, by 
any responsible member of the patient’s 
family. 


§2.16 Security for records. 


(a) The part 2 program or other lawful 
holder of patient identifying 
information must have in place formal 
policies and procedures to reasonably 
protect against unauthorized uses and 
disclosures of patient identifying 
information and to protect against 
reasonably anticipated threats or 
hazards to the security of patient 
identifying information. These formal 
policies and procedures must address: 

(1) Paper records, including: 

(i) Transferring and removing such 
records; 

(ii) Destroying such records, including 
sanitizing the hard copy media 
associated with the paper printouts, to 
render the patient identifying 
information non-retrievable; 

(iii) Maintaining such records ina 
secure room, locked file cabinet, safe, or 
other similar container, or storage 
facility when not in use; 

(iv) Using and accessing workstations, 
secure rooms, locked file cabinets, safes, 
or other similar containers, and storage 
facilities that use or store such 
information; and 

(v) Rendering patient identifying 
information non-identifiable in a 
manner that creates a very low risk of 
re-identification (e.g., removing direct 
identifiers). 

(2) Electronic records, including: 

(i) Creating, receiving, maintaining, 
and transmitting such records; 

(ii) Destroying such records, including 
sanitizing the electronic media on 
which such records are stored, to render 
the patient identifying information non- 
retrievable; 

(iii) Using and accessing electronic 
records or other electronic media 
containing patient identifying 
information; and 

(iv) Rendering the patient identifying 
information non-identifiable in a 
manner that creates a very low risk of 
re-identification (e.g., removing direct 
identifiers). 

(b) [Reserved] 


§2.17 Undercover agents and informants. 

(a) Restrictions on placement. Except 
as specifically authorized by a court 
order granted under § 2.67, no part 2 
program may knowingly employ, or 
enroll as a patient, any undercover agent 
or informant. 

(b) Restriction on use of information. 
No information obtained by an 
undercover agent or informant, whether 
or not that undercover agent or 
informant is placed in a part 2 program 
pursuant to an authorizing court order, 
may be used to criminally investigate or 
prosecute any patient. 


§2.18 Restrictions on the use of 
identification cards. 

No person may require any patient to 
carry in their immediate possession 
while away from the part 2 program 
premises any card or other object which 
would identify the patient as having a 
substance use disorder. This section 
does not prohibit a person from 
requiring patients to use or carry cards 
or other identification objects on the 
premises of a part 2 program. 


§2.19 Disposition of records by 
discontinued programs. 

(a) General. If a part 2 program 
discontinues operations or is taken over 
or acquired by another program, it must 
remove patient identifying information 
from its records or destroy its records, 
including sanitizing any associated hard 
copy or electronic media, to render the 
patient identifying information non- 
retrievable in a manner consistent with 
the policies and procedures established 
under § 2.16, unless: 

(1) The patient who is the subject of 
the records gives written consent 
(meeting the requirements of § 2.31) to 
a transfer of the records to the acquiring 
program or to any other program 
designated in the consent (the manner 
of obtaining this consent must minimize 
the likelihood of a disclosure of patient 
identifying information to a third party); 
or 

(2) There is a legal requirement that 
the records be kept for a period 
specified by law which does not expire 
until after the discontinuation or 
acquisition of the part 2 program. 

(b) Special procedure where retention 
period required by law. If paragraph 
(a)(2) of this section applies: 

(1) Records, which are paper, must be: 

(i) Sealed in envelopes or other 
containers labeled as follows: “Records 
of [insert name of program] required to 
be maintained under [insert citation to 
statute, regulation, court order or other 
legal authority requiring that records be 
kept] until a date not later than [insert 
appropriate date]”’; 


(A) All hard copy media from which 
the paper records were produced, such 
as printer and facsimile ribbons, drums, 
etc., must be sanitized to render the data 
non-retrievable; and 

(B) [Reserved] 

(ii) Held under the restrictions of the 
regulations in this part by a responsible 
person who must, as soon as practicable 
after the end of the required retention 
period specified on the label, destroy 
the records and sanitize any associated 
hard copy media to render the patient 
identifying information non-retrievable 
in a manner consistent with the 
discontinued program’s or acquiring 
program’s policies and procedures 
established under § 2.16. 

(2) Records, which are electronic, 
must be: 

(i) Transferred to a portable electronic 
device with implemented encryption to 
encrypt the data at rest so that there is 
a low probability of assigning meaning 
without the use of a confidential process 
or key and implemented access controls 
for the confidential process or key; or 

(ii) Transferred, along with a backup 
copy, to separate electronic media, so 
that both the records and the backup 
copy have implemented encryption to 
encrypt the data at rest so that there is 
a low probability of assigning meaning 
without the use of a confidential process 
or key and implemented access controls 
for the confidential process or key; and 

(iii) Within one year of the 
discontinuation or acquisition of the 
program, all electronic media on which 
the patient records or patient identifying 
information resided prior to being 
transferred to the device specified in (i) 
above or the original and backup 
electronic media specified in (ii) above, 
including email and other electronic 
communications, must be sanitized to 
render the patient identifying 
information non-retrievable in a manner 
consistent with the discontinued 
program’s or acquiring program’s 
policies and procedures established 
under § 2.16; and 

(iv) The portable electronic device or 
the original and backup electronic 
media must be: 

(A) Sealed in a container along with 
any equipment needed to read or access 
the information, and labeled as follows: 
“Records of [insert name of program] 
required to be maintained under [insert 
citation to statute, regulation, court 
order or other legal authority requiring 
that records be kept] until a date not 
later than [insert appropriate date];” and 

(B) Held under the restrictions of the 
regulations in this part by a responsible 
person who must store the container in 
a manner that will protect the 
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information (e.g., climate controlled 
environment); and 

(v) The responsible person must be 
included on the access control list and 
be provided a means for decrypting the 
data. The responsible person must store 
the decryption tools on a device or at a 
location separate from the data they are 
used to encrypt or decrypt; and 

(vi) As soon as practicable after the 
end of the required retention period 
specified on the label, the portable 
electronic device or the original and 
backup electronic media must be 
sanitized to render the patient 
identifying information non-retrievable 
consistent with the policies established 
under § 2.16. 


§ 2.20 Relationship to state laws. 


The statute authorizing the 
regulations in this part (42 U.S.C. 
290dd-2) does not preempt the field of 
law which they cover to the exclusion 
of all state laws in that field. Ifa 
disclosure permitted under the 
regulations in this part is prohibited 
under state law, neither the regulations 
in this part nor the authorizing statute 
may be construed to authorize any 
violation of that state law. However, no 
state law may either authorize or 
compel any disclosure prohibited by the 
regulations in this part. 


§ 2.21 Relationship to federal statutes 
protecting research subjects against 
compulsory disclosure of their identity. 

(a) Research privilege description. 
There may be concurrent coverage of 
patient identifying information by the 
regulations in this part and by 
administrative action taken under 
section 502(c) of the Controlled 
Substances Act (21 U.S.C. 872(c) and 
the implementing regulations at 21 CFR 
part 1316); or section 301(d) of the 
Public Health Service Act (42 U.S.C. 
241(d) and the implementing 
regulations at 42 CFR part 2a). These 
research privilege statutes confer on the 
Secretary of Health and Human Services 
and on the Attorney General, 
respectively, the power to authorize 
researchers conducting certain types of 
research to withhold from all persons 
not connected with the research the 
names and other identifying information 
concerning individuals who are the 
subjects of the research. 

(b) Effect of concurrent coverage. 
These regulations restrict the disclosure 
and use of information about patients, 
while administrative action taken under 
the research privilege statutes and 
implementing regulations protects a 
person engaged in applicable research 
from being compelled to disclose any 
identifying characteristics of the 


individuals who are the subjects of that 
research. The issuance under subpart E 
of this part of a court order authorizing 
a disclosure of information about a 
patient does not affect an exercise of 
authority under these research privilege 
statutes. 


§2.22 Notice to patients of federal 
confidentiality requirements. 

(a) Notice required. At the time of 
admission to a part 2 program or, in the 
case that a patient does not have 
capacity upon admission to understand 
his or her medical status, as soon 
thereafter as the patient attains such 
capacity, each part 2 program shall: 

(1) Communicate to the patient that 
federal law and regulations protect the 
confidentiality of substance use disorder 
patient records; and 

(2) Give to the patient a summary in 
writing of the federal law and 
regulations. 

(b) Required elements of written 
summary. The written summary of the 
federal law and regulations must 
include: 

(1) A general description of the 
limited circumstances under which a 
part 2 program may acknowledge that 
an individual is present or disclose 
outside the part 2 program information 
identifying a patient as having or having 
had a substance use disorder; 

(2) A statement that violation of the 
federal law and regulations by a part 2 
program is a crime and that suspected 
violations may be reported to 
appropriate authorities consistent with 
§ 2.4, along with contact information; 

(3) A statement that information 
related to a patient’s commission of a 
crime on the premises of the part 2 
program or against personnel of the part 
2 program is not protected; 

(4) A statement that reports of 
suspected child abuse and neglect made 
under state law to appropriate state or 
local authorities are not protected; and 

(5) A citation to the federal law and 
regulations. 

(c) Program options. The part 2 
program must devise a notice to comply 
with the requirement to provide the 
patient with a summary in writing of the 
federal law and regulations. In this 
written summary, the part 2 program 
also may include information 
concerning state law and any of the part 
2 program’s policies that are not 
inconsistent with state and federal law 
on the subject of confidentiality of 
substance use disorder patient records. 


§2.23 Patient access and restrictions on 
use. 


(a) Patient access not prohibited. 
These regulations do not prohibit a part 


2 program from giving a patient access 
to their own records, including the 
opportunity to inspect and copy any 
records that the part 2 program 
maintains about the patient. The part 2 
program is not required to obtain a 
patient’s written consent or other 
authorization under the regulations in 
this part in order to provide such access 
to the patient. 

(b) Restriction on use of information. 
Information obtained by patient access 
to his or her patient record is subject to 
the restriction on use of this information 
to initiate or substantiate any criminal 
charges against the patient or to conduct 
any criminal investigation of the patient 
as provided for under § 2.12(d)(1). 


Subpart C—Disclosures With Patient 
Consent 


§2.31. Consent requirements. 

(a) Required elements for written 
consent. A written consent to a 
disclosure under the regulations in this 
part may be paper or electronic and 
must include: 

(1) The name of the patient. 

(2) The specific name(s) or general 
designation(s) of the part 2 program(s), 
entity(ies), or individual(s) permitted to 
make the disclosure. 

(3) How much and what kind of 
information is to be disclosed, including 
an explicit description of the substance 
use disorder information that may be 
disclosed. 

(4)(i) The name(s) of the individual(s) 
to whom a disclosure is to be made; or 

(ii) Entities with a treating provider 
relationship with the patient. If the 
recipient entity has a treating provider 
relationship with the patient whose 
information is being disclosed, such as 
a hospital, a health care clinic, or a 
private practice, the name of that entity; 
or 

(iii) Entities without a treating 
provider relationship with the patient. 

(A) If the recipient entity does not 
have a treating provider relationship 
with the patient whose information is 
being disclosed and is a third-party 
payer, the name of the entity; or 

(B) If the recipient entity does not 
have a treating provider relationship 
with the patient whose information is 
being disclosed and is not covered by 
paragraph (a)(4)(iii)(A) of this section, 
such as an entity that facilitates the 
exchange of health information or a 
research institution, the name(s) of the 
entity(-ies); and 

(1) The name(s) of an individual 
participant(s); or 

(2) The name(s) of an entity 
participant(s) that has a treating 
provider relationship with the patient 
whose information is being disclosed; or 
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(3) A general designation of an 
individual or entity participant(s) or 
class of participants that must be 
limited to a participant(s) who has a 
treating provider relationship with the 
patient whose information is being 
disclosed. 

(i) When using a general designation, 
a statement must be included on the 
consent form that the patient (or other 
individual authorized to sign in lieu of 
the patient), confirms their 
understanding that, upon their request 
and consistent with this part, they must 
be provided a list of entities to which 
their information has been disclosed 
pursuant to the general designation (see 
§ 2.13(d)). 

(ii) [Reserved] 

(5) The purpose of the disclosure. In 
accordance with § 2.13(a), the disclosure 
must be limited to that information 
which is necessary to carry out the 
stated purpose. 

(6) A statement that the consent is 
subject to revocation at any time except 
to the extent that the part 2 program or 
other lawful holder of patient 
identifying information that is permitted 
to make the disclosure has already acted 
in reliance on it. Acting in reliance 
includes the provision of treatment 
services in reliance on a valid consent 
to disclose information to a third-party 
payer 

(7) The date, event, or condition upon 
which the consent will expire if not 
revoked before. This date, event, or 
condition must ensure that the consent 
will last no longer than reasonably 
necessary to serve the purpose for 
which it is provided. 

(8) The signature of the patient and, 
when required for a patient who is a 
minor, the signature of an individual 
authorized to give consent under § 2.14; 
or, when required for a patient who is 
incompetent or deceased, the signature 
of an individual authorized to sign 
under § 2.15. Electronic signatures are 
permitted to the extent that they are not 
prohibited by any applicable law. 

(9) The date on which the consent is 
signed. 

(b) Expired, deficient, or false 
consent. A disclosure may not be made 
on the basis of a consent which: 

(1) Has expired; 

(2) On its face substantially fails to 
conform to any of the requirements set 
forth in paragraph (a) of this section; 

(3) Is known to have been revoked; or 

(4) Is known, or through reasonable 
diligence could be known, by the 
individual or entity holding the records 
to be materially false. 


§2.32 Prohibition on re-disclosure. 
(a) Notice to accompany disclosure. 
Each disclosure made with the patient’s 


written consent must be accompanied 
by the following written statement: This 
information has been disclosed to you 
from records protected by federal 
confidentiality rules (42 CFR part 2). 
The federal rules prohibit you from 
making any further disclosure of 
information in this record that identifies 
a patient as having or having had a 
substance use disorder either directly, 
by reference to publicly available 
information, or through verification of 
such identification by another person 
unless further disclosure is expressly 
permitted by the written consent of the 
individual whose information is being 
disclosed or as otherwise permitted by 
42 CFR part 2. A general authorization 
for the release of medical or other 
information is NOT sufficient for this 
purpose (see § 2.31). The federal rules 
restrict any use of the information to 
investigate or prosecute with regard to 
a crime any patient with a substance use 
disorder, except as provided at 
§§ 2.12(c)(5) and 2.65. 

(b) [Reserved] 


§ 2.33 Disclosures permitted with written 
consent. 

If a patient consents to a disclosure of 
their records under § 2.31, a program 
may disclose those records in 
accordance with that consent to any 
person identified in the consent, except 
that disclosures to central registries and 
in connection with criminal justice 
referrals must meet the requirements of 
§§ 2.34 and 2.35, respectively. 


§2.34 Disclosures to prevent multiple 
enrollments. 

(a) Restrictions on disclosure. A part 
2 program, as defined in § 2.11, may 
disclose patient records to a central 
registry or to any withdrawal 
management or maintenance treatment 
program not more than 200 miles away 
for the purpose of preventing the 
multiple enrollment of a patient only if: 

(1) The disclosure is made when: 

(i) The patient is accepted for 
treatment; 

(ii) The type or dosage of the drug is 
changed; or 

(iii) The treatment is interrupted, 
resumed or terminated. 

(2) The disclosure is limited to: 

(i) Patient identifying information; 

(ii) Type and dosage of the drug; and 

(iii) Relevant dates. 

(3) The disclosure is made with the 
patient’s written consent meeting the 
requirements of § 2.31, except that: 

(i) The consent must list the name and 
address of each central registry and each 
known withdrawal management or 
maintenance treatment program to 
which a disclosure will be made; and 


(ii) The consent may authorize a 
disclosure to any withdrawal 
management or maintenance treatment 
program established within 200 miles of 
the program, but does not need to 
individually name all programs. 

(b) Use of information limited to 
prevention of multiple enrollments. A 
central registry and any withdrawal 
management or maintenance treatment 
program to which information is 
disclosed to prevent multiple 
enrollments may not re-disclose or use 
patient identifying information for any 
purpose other than the prevention of 
multiple enrollments unless authorized 
by a court order under subpart E of this 
part. 

(c) Permitted disclosure by a central 
registry to prevent a multiple 
enrollment. When a member program 
asks a central registry if an identified 
patient is enrolled in another member 
program and the registry determines 
that the patient is so enrolled, the 
registry may disclose: 

(1) The name, address, and telephone 
number of the member program(s) in 
which the patient is already enrolled to 
the inquiring member program; and 

(2) The name, address, and telephone 
number of the inquiring member 
program to the member program(s) in 
which the patient is already enrolled. 
The member programs may 
communicate as necessary to verify that 
no error has been made and to prevent 
or eliminate any multiple enrollments. 

(d) Permitted disclosure by a 
withdrawal management or 
maintenance treatment program to 
prevent a multiple enrollment. A 
withdrawal management or 
maintenance treatment program which 
has received a disclosure under this 
section and has determined that the 
patient is already enrolled may 
communicate as necessary with the 
program making the disclosure to verify 
that no error has been made and to 
prevent or eliminate any multiple 
enrollments. 


§2.35 Disclosures to elements of the 
criminal justice system which have referred 
patients. 

(a) A part 2 program may disclose 
information about a patient to those 
individuals within the criminal justice 
system who have made participation in 
the part 2 program a condition of the 
disposition of any criminal proceedings 
against the patient or of the patient’s 
parole or other release from custody if: 

(1) The disclosure is made only to 
those individuals within the criminal 
justice system who have a need for the 
information in connection with their 
duty to monitor the patient’s progress 
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(e.g., a prosecuting attorney who is 
withholding charges against the patient, 
a court granting pretrial or post-trial 
release, probation or parole officers 
responsible for supervision of the 
patient); and 

(2) The patient has signed a written 
consent meeting the requirements of 
§ 2.31 (except paragraph (a)(8) which is 
inconsistent with the revocation 
provisions of paragraph (c) of this 
section) and the requirements of 
paragraphs (b) and (c) of this section. 

(b) Duration of consent. The written 
consent must state the period during 
which it remains in effect. This period 
must be reasonable, taking into account: 

(1) The anticipated length of the 
treatment; 

(2) The type of criminal proceeding 
involved, the need for the information 
in connection with the final disposition 
of that proceeding, and when the final 
disposition will occur; and 

(3) Such other factors as the part 2 
program, the patient, and the 
individual(s) within the criminal justice 
system who will receive the disclosure 
consider pertinent. 

(c) Revocation of consent. The written 
consent must state that it is revocable 
upon the passage of a specified amount 
of time or the occurrence of a specified, 
ascertainable event. The time or 
occurrence upon which consent 
becomes revocable may be no later than 
the final disposition of the conditional 
release or other action in connection 
with which consent was given. 

(d) Restrictions on re-disclosure and 
use. An individual within the criminal 
justice system who receives patient 
information under this section may re- 
disclose and use it only to carry out that 
individual’s official duties with regard 
to the patient’s conditional release or 
other action in connection with which 
the consent was given. 


Subpart D—Disclosures Without 
Patient Consent 


§ 2.51 Medical emergencies. 


(a) General rule. Under the procedures 
required by paragraph (c) of this section, 
patient identifying information may be 
disclosed to medical personnel to the 
extent necessary to meet a bona fide 
medical emergency in which the 
patient’s prior informed consent cannot 
be obtained. 

(b) Special rule. Patient identifying 
information may be disclosed to 
medical personnel of the Food and Drug 
Administration (FDA) who assert a 
reason to believe that the health of any 
individual may be threatened by an 
error in the manufacture, labeling, or 
sale of a product under FDA 


jurisdiction, and that the information 
will be used for the exclusive purpose 
of notifying patients or their physicians 
of potential dangers. 

(c) Procedures. Immediately following 
disclosure, the part 2 program shall 
document, in writing, the disclosure in 
the patient’s records, including: 

(1) The name of the medical 
personnel to whom disclosure was 
made and their affiliation with any 
health care facility; 

(2) The name of the individual 
making the disclosure; 

(3) The date and time of the 
disclosure; and 

(4) The nature of the emergency (or 
error, if the report was to FDA). 


§2.52 Research. 


(a) Notwithstanding other provisions 
of this part, including paragraph (b)(2) 
of this section, patient identifying 
information may be disclosed by the 
part 2 program or other lawful holder of 
part 2 data, for the purpose of 
conducting scientific research if the 
individual designated as director or 
managing director, or individual 
otherwise vested with authority to act as 
chief executive officer or their designee 
makes a determination that the recipient 
of the patient identifying information: 

(1) If a HIPAA-covered entity or 
business associate, has obtained and 
documented authorization from the 
patient, or a waiver or alteration of 
authorization, consistent with the 
HIPAA Privacy Rule at 45 CFR 164.508 
or 164.512(i), as applicable; or 

(2) If subject to the HHS regulations 
regarding the protection of human 
subjects (45 CFR part 46), either 
provides documentation that the 
researcher is in compliance with the 
requirements of the HHS regulations, 
including the requirements related to 
informed consent or a waiver of consent 
(45 CFR 46.111 and 46.116) or that the 
research qualifies for exemption under 
the HHS regulations (45 CFR 46.101(b) 
and any successor regulations; or 

(3) If both a HIPAA covered entity or 
business associate and subject to the 
HHS regulations regarding the 
protection of human subjects, has met 
the requirements of paragraphs (a)(1) 
and (2) of this section; and 

(4) If neither a HIPAA covered entity 
or business associate or subject to the 
HHS regulations regarding the 
protection of human subjects, this 
section does not apply. 

(b) Any individual or entity 
conducting scientific research using 
patient identifying information obtained 
under paragraph (a) of this section: 

(1) Is fully bound by the regulations 
in this part and, if necessary, will resist 


in judicial proceedings any efforts to 
obtain access to patient records except 
as permitted by the regulations in this 
part. 

(2) Must not re-disclose patient 
identifying information except back to 
the individual or entity from whom that 
patient identifying information was 
obtained or as permitted under 
paragraph (c) of this section. 

(3) May include part 2 data in 
research reports only in aggregate form 
in which patient identifying information 
has been rendered non-identifiable such 
that the information cannot be re- 
identified and serve as an unauthorized 
means to identify a patient, directly or 
indirectly, as having or having had a 
substance use disorder. 

(4) Must maintain and destroy patient 
identifying information in accordance 
with the security policies and 
procedures established under § 2.16. 

(5) Must retain records in compliance 
with applicable federal, state, and local 
record retention laws. 

(c) Data linkages—(1) Researchers. 
Any individual or entity conducting 
scientific research using patient 
identifying information obtained under 
paragraph (a) of this section that 
requests linkages to data sets from a data 
repository(-ies) holding patient 
identifying information must: 

(i) Have the request reviewed and 
approved by an Institutional Review 
Board (IRB) registered with the 
Department of Health and Human 
Services, Office for Human Research 
Protections in accordance with 45 CFR 
part 46 to ensure that patient privacy is 
considered and the need for identifiable 
data is justified. Upon request, the 
researcher may be required to provide 
evidence of the IRB approval of the 
research project that contains the data 
linkage component. 

(ii) Ensure that patient identifying 
information obtained under paragraph 
(a) of this section is not provided to law 
enforcement agencies or officials. 

(2) Data repositories. For purposes of 
this section, a data repository is fully 
bound by the provisions of part 2 upon 
receipt of the patient identifying data 
and must: 

(i) After providing the researcher with 
the linked data, destroy or delete the 
linked data from its records, including 
sanitizing any associated hard copy or 
electronic media, to render the patient 
identifying information non-retrievable 
in a manner consistent with the policies 
and procedures established under § 2.16 
Security for records. 

(ii) Ensure that patient identifying 
information obtained under paragraph 
(a) of this section is not provided to law 
enforcement agencies or officials. 


6124 


Federal Register/Vol. 82, No. 11/Wednesday, January 18, 2017/Rules and Regulations 








(2) Except as provided in paragraph 
(c) of this section, a researcher may not 
redisclose patient identifying 
information for data linkages purposes. 


§2.53 Audit and evaluation. 

(a) Records not copied or removed. If 
patient records are not downloaded, 
copied or removed from the part 2 
program premises or forwarded 
electronically to another electronic 
system or device, patient identifying 
information, as defined in § 2.11, may 
be disclosed in the course of a review 
of records on the part 2 program 
premises to any individual or entity 
who agrees in writing to comply with 
the limitations on re-disclosure and use 


in paragraph (d) of this section and who: 


(1) Performs the audit or evaluation 
on behalf of: 

(i) Any federal, state, or local 
government agency which provides 
financial assistance to the part 2 
program or is authorized by law to 
regulate its activities; or 

(ii) Any individual or entity who 
provides financial assistance to the part 
2 program, which is a third-party payer 
covering patients in the part 2 program, 
or which is a quality improvement 
organization performing a utilization or 
quality control review; or 

(2) Is determined by the part 2 
program to be qualified to conduct an 
audit or evaluation of the part 2 
program. 

(b) Copying, removing, downloading, 
or forwarding patient records. Records 
containing patient identifying 
information, as defined in § 2.11, may 
be copied or removed from a part 2 
program premises or downloaded or 
forwarded to another electronic system 
or device from the part 2 program’s 
electronic records by any individual or 
entity who: 

(1) Agrees in writing to: 

(i) Maintain and destroy the patient 
identifying information in a manner 
consistent with the policies and 
procedures established under § 2.16; 

(ii) Retain records in compliance with 
applicable federal, state, and local 
record retention laws; and 

(iii) Comply with the limitations on 
disclosure and use in paragraph (d) of 
this section; and 

(2) Performs the audit or evaluation 
on behalf of: 

(i) Any federal, state, or local 
government agency which provides 
financial assistance to the part 2 
program or is authorized by law to 
regulate its activities; or 

(ii) Any individual or entity who 
provides financial assistance to the part 
2 program, which is a third-party payer 
covering patients in the part 2 program, 


or which is a quality improvement 
organization performing a utilization or 
quality control review. 

(c) Medicare, Medicaid, Children’s 
Health Insurance Program (CHIP), or 
related audit or evaluation. (1) Patient 
identifying information, as defined in 
§ 2.11, may be disclosed under 
paragraph (c) of this section to any 
individual or entity for the purpose of 
conducting a Medicare, Medicaid, or 
CHIP audit or evaluation, including an 
audit or evaluation necessary to meet 
the requirements for a Centers for 
Medicare & Medicaid Services (CMS)- 
regulated accountable care organization 
(CMS-regulated ACO) or similar CMS- 
regulated organization (including a 
CMS-regulated Qualified Entity (QE)), if 
the individual or entity agrees in writing 
to comply with the following: 

(i) Maintain and destroy the patient 
identifying information in a manner 
consistent with the policies and 
procedures established under § 2.16; 

(ii) Retain records in compliance with 
applicable federal, state, and local 
record retention laws; and 

(iii) Comply with the limitations on 
disclosure and use in paragraph (d) of 
this section. 

(2) A Medicare, Medicaid, or CHIP 
audit or evaluation under this section 
includes a civil or administrative 
investigation of a part 2 program by any 
federal, state, or local government 
agency with oversight responsibilities 
for Medicare, Medicaid, or CHIP and 
includes administrative enforcement, 
against the part 2 program by the 
government agency, of any remedy 
authorized by law to be imposed as a 
result of the findings of the 
investigation. 

(3) An audit or evaluation necessary 
to meet the requirements for a CMS- 
regulated ACO or similar CMS-regulated 
organization (including a CMS-regulated 
QE) must be conducted in accordance 
with the following: 

(i) A CMS-regulated ACO or similar 
CMS-regulated organization (including a 
CMS-regulated QE) must: 

(A) Have in place administrative and/ 
or clinical systems; and 

(B) Have in place a leadership and 
management structure, including a 
governing body and chief executive 
officer with responsibility for oversight 
of the organization’s management and 
for ensuring compliance with and 
adherence to the terms and conditions 
of the Participation Agreement or 
similar documentation with CMS; and 

(ii) A CMS-regulated ACO or similar 
CMS-regulated organization (including a 
CMS-regulated QE) must have a signed 
Participation Agreement or similar 
documentation with CMS, which 


provides that the CMS-regulated ACO or 
similar CMS-regulated organization 
(including a CMS-regulated QE): 

(A) Is subject to periodic evaluations 
by CMS or its agents, or is required by 
CMS to evaluate participants in the 
CMS-regulated ACO or similar CMS- 
regulated organization (including a 
CMS-regulated QE) relative to CMS- 
defined or approved quality and/or cost 
measures; 

(B) Must designate an executive who 
has the authority to legally bind the 
organization to ensure compliance with 
42 U.S.C. 290dd-2 and this part and the 
terms and conditions of the 
Participation Agreement in order to 
receive patient identifying information 
from CMS or its agents; 

(C) Agrees to comply with all 
applicable provisions of 42 U.S.C. 
290dd-2 and this part; 

(D) Must ensure that any audit or 
evaluation involving patient identifying 
information occurs in a confidential and 
controlled setting approved by the 
designated executive; 

(E) Must ensure that any 
communications or reports or other 
documents resulting from an audit or 
evaluation under this section do not 
allow for the direct or indirect 
identification (e.g., through the use of 
codes) of a patient as having or having 
had a substance use disorder; and 

(F) Must establish policies and 
procedures to protect the confidentiality 
of the patient identifying information 
consistent with this part, the terms and 
conditions of the Participation 
Agreement, and the requirements set 
forth in paragraph (c)(1) of this section. 

(4) Program, as defined in § 2.11, 
includes an employee of, or provider of 
medical services under the program 
when the employee or provider is the 
subject of a civil investigation or 
administrative remedy, as those terms 
are used in paragraph (c)(2) of this 
section. 

(5) If a disclosure to an individual or 
entity is authorized under this section 
for a Medicare, Medicaid, or CHIP audit 
or evaluation, including a civil 
investigation or administrative remedy, 
as those terms are used in paragraph 
(c)(2) of this section, then a quality 
improvement organization which 
obtains the information under paragraph 
(a) or (b) of this section may disclose the 
information to that individual or entity 
but only for the purpose of conducting 
a Medicare, Medicaid, or CHIP audit or 
evaluation. 

(6) The provisions of this paragraph 
do not authorize the part 2 program, the 
federal, state, or local government 
agency, or any other individual or entity 
to disclose or use patient identifying 
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information obtained during the audit or 
evaluation for any purposes other than 
those necessary to complete the audit or 
evaluation as specified in paragraph (c) 
of this section. 

(d) Limitations on disclosure and use. 
Except as provided in paragraph (c) of 
this section, patient identifying 
information disclosed under this section 
may be disclosed only back to the 
program from which it was obtained 
and used only to carry out an audit or 
evaluation purpose or to investigate or 
prosecute criminal or other activities, as 
authorized by a court order entered 
under § 2.66. 


Subpart E—Court Orders Authorizing 
Disclosure and Use 


§ 2.61 Legal effect of order. 


(a) Effect. An order of a court of 
competent jurisdiction entered under 
this subpart is a unique kind of court 
order. Its only purpose is to authorize a 
disclosure or use of patient information 
which would otherwise be prohibited 
by 42 U.S.C. 290dd—2 and the 
regulations in this part. Such an order 
does not compel disclosure. A subpoena 
or a similar legal mandate must be 
issued in order to compel disclosure. 
This mandate may be entered at the 
same time as and accompany an 
authorizing court order entered under 
the regulations in this part. 

(b) Examples. (1) A person holding 
records subject to the regulations in this 
part receives a subpoena for those 
records. The person may not disclose 
the records in response to the subpoena 
unless a court of competent jurisdiction 
enters an authorizing order under the 
regulations in this part. 

(2) An authorizing court order is 
entered under the regulations in this 
part, but the person holding the records 
does not want to make the disclosure. If 
there is no subpoena or other 
compulsory process or a subpoena for 
the records has expired or been 
quashed, that person may refuse to 
make the disclosure. Upon the entry of 
a valid subpoena or other compulsory 
process the person holding the records 
must disclose, unless there is a valid 
legal defense to the process other than 
the confidentiality restrictions of the 
regulations in this part. 


§2.62 Order not applicable to records 
disclosed without consent to researchers, 
auditors and evaluators. 

A court order under the regulations in 
this part may not authorize qualified 
personnel, who have received patient 
identifying information without consent 
for the purpose of conducting research, 
audit or evaluation, to disclose that 


information or use it to conduct any 
criminal investigation or prosecution of 
a patient. However, a court order under 
§ 2.66 may authorize disclosure and use 
of records to investigate or prosecute 
qualified personnel holding the records. 


§2.63 Confidential communications. 


(a) A court order under the 
regulations in this part may authorize 
disclosure of confidential 
communications made by a patient to a 
part 2 program in the course of 
diagnosis, treatment, or referral for 
treatment only if: 

(1) The disclosure is necessary to 
protect against an existing threat to life 
or of serious bodily injury, including 
circumstances which constitute 
suspected child abuse and neglect and 
verbal threats against third parties; 

(2) The disclosure is necessary in 
connection with investigation or 
prosecution of an extremely serious 
crime allegedly committed by the 
patient, such as one which directly 
threatens loss of life or serious bodily 
injury, including homicide, rape, 
kidnapping, armed robbery, assault with 
a deadly weapon, or child abuse and 
neglect; or 

(3) The disclosure is in connection 
with litigation or an administrative 
proceeding in which the patient offers 
testimony or other evidence pertaining 
to the content of the confidential 
communications. 

(b) [Reserved] 


§2.64 Procedures and criteria for orders 
authorizing disclosures for noncriminal 
purposes. 

(a) Application. An order authorizing 
the disclosure of patient records for 
purposes other than criminal 
investigation or prosecution may be 
applied for by any person having a 
legally recognized interest in the 
disclosure which is sought. The 
application may be filed separately or as 
part of a pending civil action in which 
the applicant asserts that the patient 
records are needed to provide evidence. 
An application must use a fictitious 
name, such as John Doe, to refer to any 
patient and may not contain or 
otherwise disclose any patient 
identifying information unless the 
patient is the applicant or has given 
written consent (meeting the 
requirements of the regulations in this 
part) to disclosure or the court has 
ordered the record of the proceeding 
sealed from public scrutiny. 

(b) Notice. The patient and the person 
holding the records from whom 
disclosure is sought must be provided: 

(1) Adequate notice in a manner 
which does not disclose patient 


identifying information to other 
persons; and 

(2) An opportunity to file a written 
response to the application, or to appear 
in person, for the limited purpose of 
providing evidence on the statutory and 
regulatory criteria for the issuance of the 
court order as described in § 2.64(d). 

(c) Review of evidence: Conduct of 
hearing. Any oral argument, review of 
evidence, or hearing on the application 
must be held in the judge’s chambers or 
in some manner which ensures that 
patient identifying information is not 
disclosed to anyone other than a party 
to the proceeding, the patient, or the 
person holding the record, unless the 
patient requests an open hearing in a 
manner which meets the written 
consent requirements of the regulations 
in this part. The proceeding may 
include an examination by the judge of 
the patient records referred to in the 
application. 

(d) Criteria for entry of order. An 
order under this section may be entered 
only if the court determines that good 
cause exists. To make this 
determination the court must find that: 

(1) Other ways of obtaining the 
information are not available or would 
not be effective; and 

(2) The public interest and need for 
the disclosure outweigh the potential 
injury to the patient, the physician- 
patient relationship and the treatment 
services. 

(e) Content of order. An order 
authorizing a disclosure must: 

(1) Limit disclosure to those parts of 
the patient’s record which are essential 
to fulfill the objective of the order; 

(2) Limit disclosure to those persons 
whose need for information is the basis 
for the order; and 

(3) Include such other measures as are 
necessary to limit disclosure for the 
protection of the patient, the physician- 
patient relationship and the treatment 
services; for example, sealing from 
public scrutiny the record of any 
proceeding for which disclosure of a 
patient’s record has been ordered. 


§2.65 Procedures and criteria for orders 
authorizing disclosure and use of records 
to criminally investigate or prosecute 
patients. 

(a) Application. An order authorizing 
the disclosure or use of patient records 
to investigate or prosecute a patient in 
connection with a criminal proceeding 
may be applied for by the person 
holding the records or by any law 
enforcement or prosecutorial officials 
who are responsible for conducting 
investigative or prosecutorial activities 
with respect to the enforcement of 
criminal laws. The application may be 
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filed separately, as part of an 
application for a subpoena or other 
compulsory process, or in a pending 
criminal action. An application must 
use a fictitious name such as John Doe, 
to refer to any patient and may not 
contain or otherwise disclose patient 
identifying information unless the court 
has ordered the record of the proceeding 
sealed from public scrutiny. 

(b) Notice and hearing. Unless an 
order under § 2.66 is sought in addition 
to an order under this section, the 
person holding the records must be 
provided: 

(1) Adequate notice (in a manner 
which will not disclose patient 
identifying information to other 
persons) of an application by a law 
enforcement agency or official; 

(2) An opportunity to appear and be 
heard for the limited purpose of 
providing evidence on the statutory and 
regulatory criteria for the issuance of the 
court order as described in § 2.65(d); 
and 

(3) An opportunity to be represented 
by counsel independent of counsel for 
an applicant who is a law enforcement 
agency or official. 

(c) Review of evidence: Conduct of 
hearings. Any oral argument, review of 
evidence, or hearing on the application 
shall be held in the judge’s chambers or 
in some other manner which ensures 
that patient identifying information is 
not disclosed to anyone other than a 
party to the proceedings, the patient, or 
the person holding the records. The 
proceeding may include an examination 
by the judge of the patient records 
referred to in the application. 

(d) Criteria. A court may authorize the 
disclosure and use of patient records for 
the purpose of conducting a criminal 
investigation or prosecution of a patient 
only if the court finds that all of the 
following criteria are met: 

(1) The crime involved is extremely 
serious, such as one which causes or 
directly threatens loss of life or serious 
bodily injury including homicide, rape, 
kidnapping, armed robbery, assault with 
a deadly weapon, and child abuse and 
neglect. 

(2) There is a reasonable likelihood 
that the records will disclose 
information of substantial value in the 
investigation or prosecution. 

(3) Other ways of obtaining the 
information are not available or would 
not be effective. 

(4) The potential injury to the patient, 
to the physician-patient relationship 
and to the ability of the part 2 program 
to provide services to other patients is 
outweighed by the public interest and 
the need for the disclosure. 


(5) If the applicant is a law 
enforcement agency or official, that: 

(i) The person holding the records has 
been afforded the opportunity to be 
represented by independent counsel; 
and 

(ii) Any person holding the records 
which is an entity within federal, state, 
or local government has in fact been 
represented by counsel independent of 
the applicant. 

(e) Content of order. Any order 
authorizing a disclosure or use of 
patient records under this section must: 

(1) Limit disclosure and use to those 
parts of the patient’s record which are 
essential to fulfill the objective of the 
order; 

(2) Limit disclosure to those law 
enforcement and prosecutorial officials 
who are responsible for, or are 
conducting, the investigation or 
prosecution, and limit their use of the 
records to investigation and prosecution 
of the extremely serious crime or 
suspected crime specified in the 
application; and 

(3) Include such other measures as are 
necessary to limit disclosure and use to 
the fulfillment of only that public 
interest and need found by the court. 


§2.66 Procedures and criteria for orders 
authorizing disclosure and use of records 
to investigate or prosecute a part 2 program 
or the person holding the records. 

(a) Application. (1) An order 
authorizing the disclosure or use of 
patient records to investigate or 
prosecute a part 2 program or the person 
holding the records (or employees or 
agents of that part 2 program or person 
holding the records) in connection with 
a criminal or administrative matter may 
be applied for by any administrative, 
regulatory, supervisory, investigative, 
law enforcement, or prosecutorial 
agency having jurisdiction over the 
program’s or person’s activities. 

(2) The application may be filed 
separately or as part of a pending civil 
or criminal action against a part 2 
program or the person holding the 
records (or agents or employees of the 
part 2 program or person holding the 
records) in which the applicant asserts 
that the patient records are needed to 
provide material evidence. The 
application must use a fictitious name, 
such as John Doe, to refer to any patient 
and may not contain or otherwise 
disclose any patient identifying 
information unless the court has 
ordered the record of the proceeding 
sealed from public scrutiny or the 
patient has provided written consent 
(meeting the requirements of § 2.31) to 
that disclosure. 

(b) Notice not required. An 
application under this section may, in 


the discretion of the court, be granted 
without notice. Although no express 
notice is required to the part 2 program, 
to the person holding the records, or to 
any patient whose records are to be 
disclosed, upon implementation of an 
order so granted any of the above 
persons must be afforded an 
opportunity to seek revocation or 
amendment of that order, limited to the 
presentation of evidence on the 
statutory and regulatory criteria for the 
issuance of the court order in 
accordance with § 2.66(c). 

(c) Requirements for order. An order 
under this section must be entered in 
accordance with, and comply with the 
requirements of, paragraphs (d) and (e) 
of § 2.64. 

(d) Limitations on disclosure and use 
of patient identifying information. (1) 
An order entered under this section 
must require the deletion of patient 
identifying information from any 
documents made available to the public. 

(2) No information obtained under 
this section may be used to conduct any 
investigation or prosecution of a patient 
in connection with a criminal matter, or 
be used as the basis for an application 
for an order under § 2.65. 


§2.67 Orders authorizing the use of 
undercover agents and informants to 
investigate employees or agents of a part 2 
program in connection with a criminal 
matter. 

(a) Application. A court order 
authorizing the placement of an 
undercover agent or informant in a part 
2 program as an employee or patient 
may be applied for by any law 
enforcement or prosecutorial agency 
which has reason to believe that 
employees or agents of the part 2 
program are engaged in criminal 
misconduct. 

(b) Notice. The part 2 program 
director must be given adequate notice 
of the application and an opportunity to 
appear and be heard (for the limited 
purpose of providing evidence on the 
statutory and regulatory criteria for the 
issuance of the court order in 
accordance with § 2.67(c)), unless the 
application asserts that: 

(1) The part 2 program director is 
involved in the suspected criminal 
activities to be investigated by the 
undercover agent or informant; or 

(2) The part 2 program director will 
intentionally or unintentionally disclose 
the proposed placement of an 
undercover agent or informant to the 
employees or agents of the program who 
are suspected of criminal activities. 

(c) Criteria. An order under this 
section may be entered only if the court 
determines that good cause exists. To 
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make this determination the court must 
find all of the following: 


(1) There is reason to believe that an 
employee or agent of the part 2 program 
is engaged in criminal activity; 

(2) Other ways of obtaining evidence 
of the suspected criminal activity are 
not available or would not be effective; 
and 


(3) The public interest and need for 
the placement of an undercover agent or 
informant in the part 2 program 
outweigh the potential injury to patients 
of the part 2 program, physician-patient 
relationships and the treatment services. 

(d) Content of order. An order 
authorizing the placement of an 
undercover agent or informant in a part 
2 program must: 


(1) Specifically authorize the 
placement of an undercover agent or an 
informant; 

(2) Limit the total period of the 
placement to six months; 

(3) Prohibit the undercover agent or 
informant from disclosing any patient 
identifying information obtained from 
the placement except as necessary to 
investigate or prosecute employees or 
agents of the part 2 program in 
connection with the suspected criminal 
activity; and 

(4) Include any other measures which 
are appropriate to limit any potential 
disruption of the part 2 program by the 
placement and any potential for a real 
or apparent breach of patient 
confidentiality; for example, sealing 
from public scrutiny the record of any 


proceeding for which disclosure of a 
patient’s record has been ordered. 


(e) Limitation on use of information. 
No information obtained by an 
undercover agent or informant placed in 
a part 2 program under this section may 
be used to investigate or prosecute any 
patient in connection with a criminal 
matter or as the basis for an application 
for an order under § 2.65. 


Dated: December 20, 2016. 
Kana Enomoto, 


Acting Deputy Assistant Secretary for Mental 
Health and Substance Use. 


Sylvia M. Burwell, 

Secretary. 
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